NIST control V0014671 states:
Network devices must authenticate all NTP messages received from NTP servers and peers.
Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source.
No. Technically it can be done but it is not part of the default config
and we do not support making the changes needed.
If you require NTP authentication...
Have some other server you own authenticate NTP to it's upstream peer if you need to,
and then have RSA server peer NTP from it.