Mapped to NIST 800-171 Requirement: 3.13.10
CMMC Assessment Objective: SC.L2-3.13.10[c]
What This Control Means
This is the operational implementation checkpoint.
You must demonstrate that:
• Secure authentication methods are actively used to verify communications sessions
• Cryptographic protections are established at session initiation
• Systems and users cannot bypass authentication or integrity checking
• Session integrity is maintained throughout the connection
The goal is to ensure you’re authenticating who you connect to—and who connects to you.
Why It Matters
Without enforced session authenticity:
• Attackers can impersonate systems or users
• Man-in-the-middle (MITM) attacks become possible
• Session hijacking could allow access to sensitive CUI systems
• Compliance goals cannot be met if protections aren’t live and working
Security only matters if it’s active, verifiable, and unbypassable.
How to Implement It
1. Test Communications Paths
• VPN sessions: Verify certificates and MFA are required
• RDP sessions: Confirm NLA (Network Level Authentication) is enforced
• Cloud logins: Check for enforced session tokens and mutual authentication
• APIs: Confirm OAuth, API keys, or signed requests are required
2. Validate Secure Protocols
• TLS 1.2+ for all web-based or cloud system communication
• SSH v2 for administrative remote access
• IPsec tunnels for site-to-site connections
3. Monitor for Session Violations
• Log and alert on session errors, failed certificate validations, or expired tokens
• Block systems trying to initiate sessions without secure authentication
4. Confirm Enforcement in Tools and Configurations
• Review:
◦ VPN concentrator settings
◦ Firewall policies
◦ Web server SSL/TLS enforcement
◦ API gateway rules
Evidence the Assessor Will Look For
• System settings or configurations enforcing secure session authentication
• Logs showing successful and denied session authentications
• Packet captures verifying encryption and session integrity establishment
• Screenshots of VPN, cloud, or API connection settings enforcing authentication
• SIEM or IDS/IPS alerts related to session authentication anomalies
Common Gaps
• Encryption used but session identity verification not enforced
• Authentication optional or inconsistently applied
• Admin sessions exposed without multifactor or strong session verification
• No alerting on failed or suspicious session authentication attempts
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Monitoring whether secure communication sessions are initiated and verified
• Tracking session authentication success/failure across CUI-related systems
• Alerting on violations, anomalies, or insecure sessions
• Linking session authenticity validation to user, system, and data flow inventories
• Providing proof of real-world encryption, authentication, and session integrity enforcement
With Cuick Trac, communication protections aren’t just configured—they’re actively verified and audit-ready.
Final CTA
In security, it’s not about what you intend—it’s about what you enforce.
Schedule a Cuick Trac demo to ensure your communications sessions are authenticated, protected, and resilient against threats.