1. Home
  2. FedRAMP
  3. SC-23

BRACKETOLOGY | FEDRAMP

SC-23: SESSION AUTHENTICITY

  • FedRAMP Baseline Membership SC-23:
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The information system protects the authenticity of communications sessions.

SUPPLEMENTAL GUIDANCE

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

CONTROL ENHANCEMENTS

SC-23 (1) SESSION AUTHENTICITY | INVALIDATE SESSION IDENTIFIERS AT LOGOUT
  • FedRAMP Baseline Membership SC-23 (1):
  • HIGH

The information system invalidates session identifiers upon user logout or other session termination.

Supplemental Guidance:

This control enhancement curtails the ability of adversaries from capturing and continuing to employ previously valid session IDs.

SC-23 (2) SESSION AUTHENTICITY | USER-INITIATED LOGOUTS / MESSAGE DISPLAYS

[Withdrawn: Incorporated into AC-12 (1)].

SC-23 (3) SESSION AUTHENTICITY | UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION

The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated.

Supplemental Guidance:

This control enhancement curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers.

RELATED CONTROLS: SC-23 (3)

SC-23 (4) SESSION AUTHENTICITY | UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION

[Withdrawn: Incorporated into SC-23 (3)].

SC-23 (5) SESSION AUTHENTICITY | ALLOWED CERTIFICATE AUTHORITIES

The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.

Supplemental Guidance:

Reliance on certificate authorities (CAs) for the establishment of secure sessions includes, for example, the use of Secure Socket Layer (SSL) and/or Transport Layer Security (TLS) certificates. These certificates, after verification by the respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers.

RELATED CONTROLS: SC-23 (5)

REFERENCES:

  • NIST Special Publication 800-52
  • NIST Special Publication 800-77
  • NIST Special Publication 800-95