• Requirement

    Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

  • Discussion

    Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators.

    NIST SP 800-63-3 provides guidance on digital identities.

More Info

  • Title

    Replay-Resistant Authentication
  • Domain

    Identification and Authentication
  • CMMC Level

  • Related NIST 800-171 ID

  • Related NIST 800-53 ID


  • DoD Scoring Methodology Points


  • Reference Documents

  • Further Discussion

    When insecure protocols are used for access to computing resources, an adversary may be able to capture login information and immediately reuse (replay) it for other purposes. It is important to use mechanisms that resist this technique.


    To protect your IT infrastructure, you understand that the methods for authentication must not be easily copied and re-sent to your systems by an adversary. You select Kerberos for authentication because of its built-in resistance to replay attacks. As a next step you upgrade all of your web applications to require Transport Layer Security (TLS), which also is replay-resistant. Your use of MFA to protect remote access also confers some replay resistance.

    Potential Assessment Considerations

    • Are only anti-replay authentication mechanisms used [a]?

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!