SC-23(3)—Session Authenticity | Unique System-generated Session Identifiers
IL5
IL6
>Control Description
Generate a unique session identifier for each session with ⚙organization-defined randomness requirements and recognize only session identifiers that are system-generated.
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Generating unique session identifiers curtails the ability of adversaries to reuse previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers protects against brute-force attacks to determine future session identifiers.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of unique system-generated session identifiers?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-23(3)?
Technical Implementation:
- •How is unique system-generated session identifiers technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that unique system-generated session identifiers remains effective as the system evolves?
- •How are session timeouts and termination controls configured?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-23(3)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
- •Can you show session management configuration settings?
Ask AI
Configure your API key to use AI features.