>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-23Session Authenticity

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Protect the authenticity of communications sessions.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.

>Programmatic Queries

Beta

Related Services

CloudFront
ALB
API Gateway

CLI Commands

Check CloudFront HTTPS settings
aws cloudfront get-distribution --id DIST_ID --query 'Distribution.DistributionConfig.ViewerCertificate'
List ALB HTTPS listeners
aws elbv2 describe-listeners --load-balancer-arn ALB_ARN --query 'Listeners[*].{Port:Port,Protocol:Protocol,SSL:SslPolicy}'
Check API Gateway TLS
aws apigateway get-domain-names --query 'items[*].{Domain:domainName,Security:securityPolicy}'
Verify SSL policies
aws elbv2 describe-ssl-policies --query 'SslPolicies[*].{Name:Name,Protocols:SslProtocols,Ciphers:Ciphers[*].Name}'
Open AWS ConsoleDocumentation

>Related Controls

AU-10
SC-8
SC-10
SC-11

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of session authenticity?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-23?

Technical Implementation:

  • How is session authenticity technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that session authenticity remains effective as the system evolves?
  • How are session timeouts and termination controls configured?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-23?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you show session management configuration settings?

Ask AI

Configure your API key to use AI features.