Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.15 – Protect the authenticity of communications sessions.
Understanding the Requirement
This control requires that communications sessions are protected so that parties can trust they are talking to the intended system and not an attacker performing a man-in-the-middle attack. The objective is to ensure the authenticity of sessions through cryptographic protection and authentication mechanisms; in practice this means using properly configured TLS, valid certificates, and stronger authentication controls so session identity cannot be forged or intercepted. This guidance maps to NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, and the intent is to make session-level interception, impersonation, and replay attacks infeasible for an SMB environment.
Technical Implementation
- Deploy TLS with valid certificates: Ensure every web-facing and internal web interface uses TLS (TLS 1.2 or 1.3). Obtain certificates from a trusted CA (Let's Encrypt or a commercial CA) or a properly managed internal CA, and automate renewal to avoid expired certs. Verify servers present the correct certificate and chain; for small teams use automated tools (Certbot, ACME clients) to reduce human error.
- Enforce secure server configurations: Disable weak ciphers and protocols (SSL, TLS 1.0/1.1). Enable strong cipher suites and forward secrecy. Apply HSTS (HTTP Strict Transport Security) on web services and ensure cookies have Secure and HttpOnly flags. For VPNs, require modern TLS configurations and avoid outdated configurations shipped by default.
- Require multi-factor authentication (MFA) for session establishment: Mandate MFA for all remote access, VPN logins, and any web application that grants access to sensitive data. Use time-based one-time passwords (TOTP), push-based authenticators, or hardware tokens. Tie session creation to successful MFA so an intercepted password alone cannot establish an authentic session.
- Use certificate validation and, where appropriate, certificate pinning or mutual TLS: For critical internal services (APIs, administrative interfaces), implement certificate validation checks and consider mTLS between services to ensure both client and server present valid certs. Certificate pinning can be used in in-house applications to reduce exposure to compromised CAs, but document and plan rollout to avoid service disruption.
- Session hygiene and monitoring: Implement reasonable session timeouts, re-authentication for high-risk actions, and short-lived session tokens for APIs. Log session creation/termination events and monitor for anomalies (multiple simultaneous sessions from different geolocations for a single user, repeated failed auth attempts). Use simple SIEM or log aggregation suitable for SMBs (cloud log services) to detect session-based attacks.
- Operational controls and patching: Keep web servers, VPN appliances, and TLS libraries (OpenSSL, LibreSSL, NSS) up to date. Maintain an inventory of services that accept network logins or manage sessions and include them in routine patch and configuration review processes. Document certificate owners, expiration dates, and renewal procedures.
Example in a Small or Medium Business
A 50-person marketing firm runs an internal timesheet web application and a VPN for remote staff. The IT administrator replaces the self-signed certificate on the timesheet server with a CA-signed certificate from Let's Encrypt and configures automatic renewal so staff never see expired-certificate warnings. The web server is hardened: TLS 1.3 preferred, weak ciphers disabled, HSTS enabled, and cookies marked Secure and HttpOnly. Remote employees connect via a TLS-based VPN that enforces MFA with a push authenticator; passwords alone no longer establish a session. For the payroll API used by HR, the firm implements mutual TLS between the payroll server and the app server so only authorized systems can establish a session. Session timeouts are set to 15 minutes of inactivity for administrative interfaces and 60 minutes for general use; sensitive actions in the app require re-authentication. The security lead maintains a simple spreadsheet with certificate expiration dates, automates renewal where possible, and reviews access logs weekly to spot unusual session activity. Together, these steps reduce the likelihood of session impersonation and give the small IT team clear processes to maintain authenticity controls.
Summary
Protecting the authenticity of communications sessions combines policy, configuration, and operational practices: use modern TLS with valid certificates, require MFA for session establishment, harden server configuration (cipher suites, HSTS, secure cookies), consider mTLS for high-value services, and monitor session activity. For SMBs, automation (certificate renewal, MFA enrollment), clear ownership of certificates and services, and regular log review provide an efficient path to meeting SC.L2-3.13.15 while keeping administrative overhead manageable.
