NIST SP 800-171
Control 3.5.4
Employ Replay-Resistant Authentication
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
What This Means in Plain English
Authentication must be resistant to replay attacks, where an attacker captures a valid authentication exchange and replays it to gain unauthorized access. Modern protocols like Kerberos, TLS, and FIDO2 provide replay resistance.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Kerberos authentication in Active Directory providing time-stamped, replay-resistant tokens
- TLS-based authentication for all web applications preventing credential replay
- FIDO2 security keys using challenge-response with cryptographic nonces
- Microsoft Entra token protection with binding and replay detection
- FortiGate VPN using IPSec with anti-replay sequence number validation
Assessment Guidance
Assessors will verify that authentication protocols in use are replay-resistant, check that NTLM is disabled where possible in favor of Kerberos, test that VPN authentication uses anti-replay mechanisms, and review that legacy replay-vulnerable protocols are disabled.
Common Implementation Gaps
- NTLM authentication still in use (replay-vulnerable)
- Legacy authentication protocols without replay protection
- Basic authentication over HTTP without TLS
- VPN without anti-replay protection enabled
- No token binding or session protection against replay
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IA-2(8) |
Need Help Implementing 3.5.4?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment