Make sure a communications session really is with who it claims to be — and can't be hijacked mid-stream.
What it actually means
Protect the authenticity of communications sessions so they can't be spoofed or hijacked. In practice this is delivered by the same protocols that encrypt traffic — TLS, IPsec/VPN, SSH — which authenticate the endpoints and protect session integrity. The task is to use those protocols everywhere CUI sessions occur, with valid certificates and no weak fallbacks.
Pass or fail — an assessor needs a "yes" to each
- Are CUI communications sessions protected by authenticated protocols (TLS, IPsec, SSH) with valid certificates?
- Have you disabled weak or legacy protocols that don't protect session authenticity?
What to have ready
- TLS / IPsec / SSH configuration and certificate management
- Evidence that legacy or weak protocols are disabled
Where teams trip up
- Self-signed or expired certificates that users click through
- Legacy protocols (old TLS/SSL) still enabled
A 5-point control, but usually satisfied by the same TLS / VPN you already use for 3.13.8 — the key is valid certificates and no weak fallbacks.
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →