← Controls / SC

SC-23 Session Authenticity

System and Communications Protection

Low Moderate High

Description

The information system provides mechanisms to protect the authenticity of communications sessions.

Supplemental Guidance

This control focuses on communications protection at the session, versus packet, level. The intent of this control is to implement session-level protection where needed (e.g., in service-oriented architectures providing web-based services). NIST Special Publication 800-52 provides guidance on the use of transport layer security (TLS) mechanisms. NIST Special Publication 800-77 provides guidance on the deployment of IPsec virtual private networks (VPNs) and other methods of protecting communications sessions. NIST Special Publication 800-95 provides guidance on secure web services.

Enhancements

(0) None.

MITRE ATT&CK Techniques (20)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Defense Evasion 5 Credential Access 5 Discovery 1 Lateral Movement 2 Collection 6 Command & Control 8

Compliance Mappings

NIST CSF 2.0

PR.AA-04

FINOS CCC

CCC-C01

MAS TRM

14

ANSSI

Hygiene.12Hygiene.24SecNumCloud.10.5

FINMA Circular 2023/1

IV.B.d(59)IV.C(63)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(a)Art.32(1)(b)

EU DORA

Art.9(3)

RBI CSF

Annex1.9

FISC Security Guidelines

FISC.T12FISC.T8

LGPD + BCB 4893

BCB.OpenFinanceBCB.PIX

HKMA TM-E-1

TME1.10.1TME1.8.4

DNB Good Practice

DNB.18.4

SAMA CSF

3.8

NCA ECC

2-5

UAE IA

T8

CBB TM

TM-8

Qatar NIA

CS

CBE CSF

CTO-5

CBN CSF

Part5.2

BoG CISD

CISD-IX

BoM CTRM

3.13

CPMI-IOSCO PFMI

PFMI.P22

FFIEC IS

II.C.13(b)II.C.16II.C.6II.C.9

NYDFS 500

500.12

HIPAA Security Rule

§164.312(e)(1)

EBA ICT Guidelines

3.8(b)

BOT Cyber Resilience

Ch2.4Ch8.2Ch9.1

CMMC 2.0

SC

NERC CIP

CIP-012-1

10 CFR 73.54

RG5.71-A-SC

IEEE 1686-2022

5.55.8

IAEA NSS 17-T

Sec 5.6

PCI PTS v6

E

PCI HSM

3

Common Criteria

CC Part 2 — FRU/FTA/FTP

Lloyd's Minimum Standards

BP2.1

HITRUST CSF v11

01.b

FDA 21 CFR Part 11

§11.30§11.300(d)

FDA Cybersecurity Guidance

SA-2

ISO 27799

9.5H.5

OWASP MASVS v2.1

MASVS-AUTH-1MASVS-AUTH-3MASVS-NETWORK-1MASVS-NETWORK-2

BSSC Standards

GSP-13

SEC Custody (Digital Assets)

SEC-CD-03

ISO 17799 (legacy)

None.

COBIT 4.1 (legacy)

AC6DS5.11