IA.L2-3.5.4 · NIST SP 800-171 3.5.4

Replay-resistant Authentication

Employ replay -resistant authentication mechanisms for network access to privileged and non-privileged accounts.

1 point if not metPOA&M eligible1 assessment objective

What an assessor scores, the objectives

IA.L2-3.5.4 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For IA.L2-3.5.4, an assessor uses these:

Examine

Identification and authentication policy; procedures addressing user identification and authentication; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; list of privileged system accounts; other relevant documents or records

Interview

Personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators; system developers

Test

Mechanisms supporting or implementing identification and authentication capability or replay resistant authentication mechanisms

What it means, in context

Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages . Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge- response one-time authenticators. NIST SP 800-63-3 provides guidance on digital identities.

When insecure protocols are used for access to computing resources , an adversary may be able to capture login information and immediately reuse (replay) it for other purposes. It is important to use mechanisms that resist this technique. Example To protect your IT infrastructure, you understand that the methods for authentication must not be easily copied and re- sent to your systems by an adversary. You select Kerberos for authentication because of its built-in resistance to replay attacks. As a next step you upgrade all of your web applications to require Transport Layer Security (TLS), which also is replay- resistant. Your use of MFA to protect remote access also confers some replay resistance. Potential Assessment Considerations • Are only anti-replay authentication mechanisms used [a]?

What passing evidence looks like

A note naming your replay resistant mechanisms: modern protocols (TLS bound tokens, Kerberos, WebAuthn keys) on network access paths.

Common ways contractors fail IA.L2-3.5.4

  • !Entra and Google sign in are replay resistant by protocol design, and NTLMv1 or basic auth are the counterexamples. Blocking legacy authentication is both the fix and the evidence.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove IA.L2-3.5.4, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

IA.L2-3.5.4 questions, answered

How many points is CMMC requirement IA.L2-3.5.4 worth?+

IA.L2-3.5.4 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can IA.L2-3.5.4 be placed on a POA&M?+

Yes. A gap on IA.L2-3.5.4 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.

What family does IA.L2-3.5.4 belong to?+

IA.L2-3.5.4 is in the Identification & Authentication (IA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.5.4