CMMC Level 2 Practice 3.5.4: Employ replay-resistant authentication mechanisms for network access to privileged and non-

CMMC Level 2 Practice 3.5.4 requires you to use replay-resistant authentication for network access, for both privileged and non-privileged accounts, so captured credentials or login exchanges cannot be reused by an attacker. Operationalize it by enforcing MFA methods that resist replay (for example, FIDO2/WebAuthn or certificate-based authentication) on VPN, admin portals, and remote access paths, and retain proof that the control is consistently enforced. (NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance)

Key takeaways:

• Scope “network access” first (VPN, ZTNA, remote admin, cloud consoles), then enforce replay-resistant MFA everywhere in that scope. (NIST SP 800-171 Rev. 2)
• Prioritize phishing- and replay-resistant methods (FIDO2, client certs, PIV/CAC); avoid push-only MFA for privileged access where possible. (NIST SP 800-171 Rev. 2)
• Evidence wins assessments: configs, conditional access policies, enrollment reports, and access logs that show the mechanism is in effect. (DoD CMMC Program Guidance)

CMMC Level 2 aligns to NIST SP 800-171 Rev. 2, and Practice 3.5.4 is one of the fastest ways assessors separate “we have MFA” from “we stop credential replay.” Replay attacks show up in real environments as stolen session cookies, intercepted one-time codes, captured RADIUS exchanges, or copied password hashes that get re-submitted to gain access. Practice 3.5.4 forces you to pick authentication mechanisms where the authentication “proof” cannot simply be reused later by an attacker.

For a CCO or GRC lead, the practical job is to (1) define which entry points count as network access in your CMMC boundary, (2) ensure both privileged and non-privileged users must authenticate using a replay-resistant method at those entry points, and (3) document and continuously capture the evidence an assessor will ask for. This page is written to help you move from requirement to deployable control language, implementation steps, and assessment-ready artifacts, using only the source references provided for CMMC and NIST SP 800-171 Rev. 2. (32 CFR Part 170; DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2)

Requirement focus (what 3.5.4 is really asking)

Plain-English interpretation

You must prevent attackers from reusing captured authentication traffic to log in over the network. “Replay-resistant” means the authentication exchange includes a property like a cryptographic challenge/response, signed assertion, or unique per-session value, so a copied response fails if replayed.

This applies to:

• Privileged accounts (admins, domain admins, cloud tenant admins, firewall admins, break-glass accounts).
• Non-privileged accounts (standard users) that access systems over the network.

Practically, your assessor will look for replay-resistant authentication at the places where users authenticate to gain network access into the environment, not just at the workstation login screen. (NIST SP 800-171 Rev. 2)

Regulatory text

Excerpt (provided): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.5.4 (Employ replay-resistant authentication mechanisms for network access to privileged and non-).” (NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance)

What the operator must do

1. Identify network access paths into the CMMC Level 2 boundary (or enclave) where authentication occurs.
2. Require replay-resistant authentication for those access paths for both privileged and non-privileged users.
3. Document and prove the mechanism is enforced (policy + technical configuration + logs). (NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance; 32 CFR Part 170)

Who it applies to

Entities

• Defense contractors and federal contractors handling CUI that must meet CMMC Level 2 requirements. (32 CFR Part 170; DoD CMMC Program Guidance)

Operational context (where it shows up)

• Remote access into the environment (VPN, ZTNA, VDI gateways).
• Administrative access over the network (RDP/SSH via bastion, hypervisor consoles, network gear admin UIs).
• Identity provider authentication for cloud services inside the CMMC boundary (for example, SSO into admin consoles).
• Third-party support access if they authenticate into your boundary (managed service providers, OEM support). (NIST SP 800-171 Rev. 2)

What you actually need to do (step-by-step)

Step 1: Define “network access” for your boundary

Create a simple inventory table of entry points that require authentication. Minimum columns:

• Entry point (VPN, ZTNA portal, RDP gateway, IdP, firewall admin UI)
• User types (privileged, non-privileged, third party)
• Current auth method
• Target replay-resistant method
• Enforcement control (conditional access, RADIUS policy, device cert requirement)

This inventory becomes your scoping artifact for assessment and keeps the control from turning into an argument about what “counts.” (NIST SP 800-171 Rev. 2)

Step 2: Select replay-resistant mechanisms that fit each entry point

Common options that typically meet the intent:

• FIDO2/WebAuthn security keys or platform authenticators for interactive sign-in.
• Certificate-based authentication (smartcards, client TLS certificates, PIV/CAC where applicable).
• Kerberos with pre-authentication for certain internal network auth flows, when properly configured and not exposed in insecure ways.

Methods that often create assessment friction if used alone:

• SMS OTP (phishable and frequently replayable via real-time phishing kits).
• Email OTP (weak control channel).
• Push-to-approve MFA without number matching or phishing-resistant controls (commonly defeated by push fatigue and real-time relay).

Your standard should explicitly define “approved replay-resistant factors” for privileged access and list exceptions with compensating controls. Keep it short and enforceable. (NIST SP 800-171 Rev. 2)

Step 3: Enforce replay-resistant auth for privileged access first

Privileged access is where assessors focus. Implement:

• Admin portal / IdP policy: require phishing-resistant MFA for admin roles, block legacy authentication, require device compliance where feasible.
• Privileged remote access: require MFA at the gateway (VPN/ZTNA) and, for high-risk admin workflows, require step-up authentication when accessing admin consoles.
• Service accounts: confirm they are not used for interactive logon; where network authentication is required, use strong key- or certificate-based approaches and limit where the account can authenticate.

Document “privileged” in your access control standard so the scope is unambiguous. (NIST SP 800-171 Rev. 2)

Step 4: Extend enforcement to non-privileged network access

Apply the same principle to standard users who remotely access the environment:

• Require replay-resistant MFA for VPN/ZTNA and SSO.
• Disable or restrict protocols that bypass MFA paths (for example, direct RDP from the internet; legacy email auth) within the CMMC boundary.
• If contractors or third parties access the environment, apply the same enforcement or put them behind a managed access path that enforces your mechanism.

Treat “non-privileged” as “everyone else,” not “optional.” (NIST SP 800-171 Rev. 2)

Step 5: Create configuration baselines and recurring evidence capture

Assessments fail when the control exists but you cannot prove it stays on. Put a recurring evidence routine in place:

• Export conditional access / IdP policies that show phishing-resistant or certificate-based MFA required for the in-scope apps.
• Export VPN/RADIUS configuration showing certificate or strong MFA required.
• Pull authentication logs showing MFA claims for a sample of privileged and non-privileged logins.
• Track exceptions with approvals and expiration.

Daydream can help here as the system of record that maps Practice 3.5.4 to your control statements and schedules recurring evidence pulls so the evidence is ready when the assessor asks, not rebuilt under pressure. (DoD CMMC Program Guidance)

Required evidence and artifacts to retain

Use an evidence checklist your IT owner can execute without interpretation:

Policy and standards

• Authentication standard defining replay-resistant methods approved for network access; includes privileged and non-privileged scope. (NIST SP 800-171 Rev. 2)
• Remote access standard that lists approved entry points and prohibits unmanaged access paths into the boundary. (NIST SP 800-171 Rev. 2)

Technical configurations (screenshots or exports)

• IdP conditional access policies for privileged roles and standard users (MFA type requirements, blocked legacy auth). (NIST SP 800-171 Rev. 2)
• VPN/ZTNA configuration showing MFA or certificate requirements and group scoping. (NIST SP 800-171 Rev. 2)
• Privileged access pathway design (bastion/jump host requirements, admin role assignments). (NIST SP 800-171 Rev. 2)

Operational records

• MFA enrollment reports for privileged users and a sample of non-privileged users.
• Authentication logs that show MFA method and success for in-scope access points.
• Exception register (who, why, compensating controls, owner approval, expiration date). (DoD CMMC Program Guidance)

Common exam/audit questions and hangups

Assessors commonly probe these areas for 3.5.4 alignment:

1. “Show me every way a user can authenticate into the boundary from the network.” If you miss an entry point, you create a gap.
2. “How do you know the MFA method is replay-resistant?” Be ready to name the mechanism and show the enforcement setting, not just “MFA is on.”
3. “Does this apply to non-privileged users?” Yes; you need coverage for both categories for network access. (NIST SP 800-171 Rev. 2)
4. “What about third-party access?” If they authenticate into your environment, their path must meet the same requirement or be isolated behind a compliant gateway. (NIST SP 800-171 Rev. 2)
5. “What about service accounts?” Expect scrutiny if a service account can log in interactively or over remote management paths.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Fix
Declaring “we have MFA” but allowing legacy protocols that bypass it	Assessors test alternate paths	Block legacy auth; constrain access to approved entry points. (NIST SP 800-171 Rev. 2)
Push-only MFA for admins without phishing-resistant controls	Real-time relay and approval fatigue risks	Require FIDO2 or certificate-based MFA for privileged roles. (NIST SP 800-171 Rev. 2)
Treating workstation logon MFA as “network access” coverage	3.5.4 is about network authentication paths	Map and enforce at VPN/ZTNA/SSO/admin portals. (NIST SP 800-171 Rev. 2)
No evidence routine	Control drifts and you can’t prove operation	Set recurring exports/log pulls; store in a GRC evidence vault. (DoD CMMC Program Guidance)
Exceptions that never expire	Creates permanent weak links	Time-bound exceptions with compensating controls and re-approval.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so you should treat enforcement risk as contractual and assessment-based: failing 3.5.4 can block CMMC Level 2 certification or drive corrective action demands tied to DoD contracting expectations under the CMMC program structure. (32 CFR Part 170; DoD CMMC Program Guidance)

Operationally, weak replay resistance increases the chance that credential interception or real-time phishing leads to remote access into CUI systems, which can expand incident scope, reporting obligations, and customer trust impact.

Practical 30/60/90-day execution plan

Use phases (not date promises) to move fast without guessing durations.

Next 30 days (Immediate)

• Build the network access entry-point inventory for the CMMC boundary and identify privileged vs non-privileged flows. (NIST SP 800-171 Rev. 2)
• Decide and document approved replay-resistant methods for privileged and non-privileged access in an authentication standard. (NIST SP 800-171 Rev. 2)
• Turn on enforcement for the highest-risk path: admin IdP access and remote admin access through a single controlled gateway.

Next 60 days (Near-term)

• Expand enforcement to all remote access paths (VPN/ZTNA/VDI/SSO apps in scope) and close bypass routes (legacy auth, direct-to-host access). (NIST SP 800-171 Rev. 2)
• Implement exception handling with expirations and compensating controls; socialize it with IT and security operations.
• Set up recurring evidence capture (policy exports + sample logs) and store it in a structured repository (Daydream or your existing GRC). (DoD CMMC Program Guidance)

Next 90 days (Operationalize)

• Validate coverage through access path testing: attempt logins through each entry point as privileged and non-privileged users and confirm the replay-resistant mechanism triggers.
• Review privileged role assignments and reduce standing privilege where feasible; fewer privileged accounts reduces testing and exception surface area.
• Run an internal assessment dry-run: answer the audit questions above using only stored artifacts, then fix gaps. (DoD CMMC Program Guidance)

Frequently Asked Questions

Does CMMC Level 2 Practice 3.5.4 require MFA everywhere?

It requires replay-resistant authentication mechanisms for network access for privileged and non-privileged accounts. In practice, MFA is the common way to meet the intent, but the key is the mechanism’s resistance to replay in the network authentication flow. (NIST SP 800-171 Rev. 2)

Are SMS or email one-time codes acceptable for replay-resistant authentication?

They often create assessment risk because they are easy to phish and relay in real time. If you keep them for limited cases, document an exception, narrow scope, and prefer phishing-resistant methods for privileged access. (NIST SP 800-171 Rev. 2)

Does this apply to internal network access, or only remote users?

The requirement is scoped to “network access,” so it can apply to both remote and internal paths where users authenticate over a network to reach systems in scope. Your entry-point inventory should explicitly list the covered paths. (NIST SP 800-171 Rev. 2)

How do we handle third-party support accounts under 3.5.4?

If a third party authenticates into the boundary, enforce your replay-resistant method on their access path (for example, a controlled VPN/ZTNA portal with compliant MFA). If they cannot meet it, route them through an alternative managed access workflow or restrict access until they can. (NIST SP 800-171 Rev. 2)

What evidence will an assessor accept to prove replay-resistant authentication is enforced?

Provide policy language that defines approved mechanisms, exported configurations from your IdP/VPN showing enforcement, and authentication logs showing the mechanism was used by privileged and non-privileged users. Tie artifacts to the entry points in your inventory. (DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2)

We have MFA on VPN, but admins can still sign in to cloud consoles with only a password. Is that a gap?

Yes, if those cloud consoles are in scope and provide network access to privileged functions. Apply conditional access to require replay-resistant MFA for admin roles and block legacy sign-in paths. (NIST SP 800-171 Rev. 2)