3.13.15 — Protect Session Integrity
What It Says
Section titled “What It Says”Protect the authenticity of communications sessions.
What It Actually Means
Section titled “What It Actually Means”Session authenticity means both sides of a communication can verify they’re talking to the legitimate party — and that the session can’t be taken over mid-stream.
Threats this addresses:
- Session hijacking — attacker steals a session cookie or token and takes over an active session
- Man-in-the-middle (MITM) — attacker intercepts communications between two systems, reading or modifying data in transit
- Session fixation — attacker sets a known session ID before the user authenticates
Controls that satisfy this:
- TLS 1.2+ with strong cipher suites — encrypts and authenticates the session
- HSTS (HTTP Strict Transport Security) — prevents downgrade attacks from HTTPS to HTTP
- Secure session tokens — random, unpredictable, short-lived, transmitted only over encrypted channels
- Certificate validation — verify TLS certificates are valid, not self-signed or expired
- Mutual TLS — both client and server authenticate via certificates (for service-to-service)
The assessor will check your TLS configuration, HSTS headers, and session management settings.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Are communications sessions protected from hijacking? | TLS, HSTS, secure session management implemented |
| 2 | Are mechanisms in place to verify session authenticity? | Certificate validation, mutual TLS where appropriate |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: System and communications protection policy; system security plan; system configuration settings for TLS and session management; HSTS configuration; certificate management documentation
People they’ll talk to: System or network administrators; personnel with information security responsibilities; system developers
Live demos they’ll ask for: TLS configuration; HSTS headers; session token security; certificate validation
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “What TLS version and cipher suites do your web applications use?”
- “Is HSTS enabled on your web services? Show me the headers.”
- “How are session tokens generated — are they random and unpredictable?”
- “What’s the session token lifetime?”
- “Do you use mutual TLS for any service-to-service communications?”
- “Show me certificate validation is enforced — what happens with an expired or self-signed cert?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”No HSTS. Users can be redirected from HTTPS to HTTP via a MITM attack. Enable HSTS headers.
Weak cipher suites. Allowing RC4, DES, or export-grade ciphers. Configure strong cipher suites only.
Long-lived session tokens. Tokens that last for days or weeks. Keep session lifetimes short — 1 hour for sensitive applications.
Self-signed certificates accepted. Applications configured to skip certificate validation. Always validate certificates.
TLS 1.0/1.1 still enabled. Deprecated and vulnerable. Disable them. TLS 1.2 minimum.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.13.8 — Encrypt in Transit | TLS provides both encryption and session authenticity |
| 3.5.4 — Replay-Resistant Auth | Authentication that prevents session replay attacks |
| 3.13.11 — FIPS or It Doesn’t Count | TLS modules must be FIPS-validated |
Implementation (coming soon)
Section titled “Implementation (coming soon)”Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.
CMMC Practice ID: SC.L2-3.13.15 | SPRS Weight: 5 points | POA&M Eligible: No