NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-2(9)Network Access to Non-privileged Accounts — Replay Resistant

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

No related controls listed

Practitioner Notes

This enhancement was incorporated into IA-2(8). It previously addressed replay-resistant authentication specifically for non-privileged network access.

Example 1: Ensure all network authentication — privileged and non-privileged — uses Kerberos or certificate-based authentication rather than NTLM, which is more vulnerable to replay attacks.

Example 2: Disable NTLM authentication via Group Policy where possible and force all clients to use Kerberos for domain authentication.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts