IA.L2-3.5.4 — Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts.

What this control requires

Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts.

Source: CMMC L2 v2.13 IA.L2-3.5.4 / NIST SP 800-171 R2 3.5.4 (official control text).

Why this matters

Replay attacks let adversaries intercept valid authentication credentials and reuse them to gain unauthorized access without knowing the actual password. This control requires authentication mechanisms that cannot be defeated by simply capturing and replaying login traffic. Time-based one-time passwords, challenge-response systems, and certificate-based authentication all generate unique values for each session, making recorded credentials worthless. Without replay resistance, an attacker on the network can impersonate legitimate users—including administrators—by retransmitting previously captured authentication exchanges. This is especially dangerous for privileged accounts that control critical systems and data.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls