3.5.1e

Requirement

Identify and authenticate [Assignment: organization-defined systems and system components] before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.

Discussion

Cryptographically-based and replay-resistant authentication between systems, components, and devices addresses the risk of unauthorized access from spoofing (i.e., claiming a false identity). The requirement applies to client-server authentication, server-server authentication, and device authentication (including mobile devices). The cryptographic key for authentication transactions is stored in suitably secure storage available to the authenticator application (e.g., keychain storage, Trusted Platform Module [TPM], Trusted Execution Environment [TEE], or secure element). Mandating authentication requirements at every connection point may not be practical, and therefore, such requirements may only be applied periodically or at the initial point of network connection. [SP 800-63-3] provides guidance on identity and authenticator management.

NIST 800-172A Assessment Guidance

Examine

[SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; network connection policy; security plan; system configuration settings and associated documentation; system design documentation; list of devices requiring unique identification and authentication; device connection reports; system audit records; list of privileged system accounts; other relevant documents or records].
Interview

[SELECT FROM: Organizational personnel responsible for system operations; organizational personnel responsible for account management; organizational personnel responsible for device identification and authentication; organizational personnel responsible for information security; system/network administrators; system developers].
Test

[SELECT FROM: Cryptographically-based bidirectional authentication mechanisms; mechanisms supporting and/or implementing network connection policy; mechanisms supporting and/or implementing replay-resistant authentication mechanisms; mechanisms supporting and/or implementing an identification and authentication capability; mechanisms supporting and/or implementing a device identification and authentication capability].

ID	Assessment Objectives
3.5.1e_ODP[1]	Systems and system components to identify and authenticate are defined.
3.5.1e[a]	Bidirectional authentication that is cryptographically-based is implemented.
3.5.1e[b]	Bidirectional authentication that is replay-resistant is implemented.
3.5.1e[c]	<3.5.1e_ODP[1]: systems and system components> are identified and authenticated before establishing a network connection using bidirectional authentication that is cryptographically-based and replay-resistant.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!