There are several levels of security and access control configured within an MQTT infrastructure.
From a pure MQTT client perspective, the client does need to provide
a mandatory unique Client ID,
optional Username and Password
Although access control is not mandated in the MQTT specification for use in MQTT Server implementations, Access Control List (ACL) functionality is available for most MQTT Server implementations. The ACL of an MQTT Server implementation is used to specify which Topic Namespace any MQTT Client can subscribe to and publish on. For further information on this topic see your MQTT broker's documentation.
The MQTT specification does not specify any TCP/IP security scheme as it was envisaged that TCP/IP security would (and did) change over time. In short, SparkplugB lifts upon MQTT, which lifts upon TCP/IP and it's ever evolving security, so SparkplugB is by design equipped with the latest security features. Allthough Sparkplug B will not specify any TCP/IP security schema it will provide examples on how to secure an MQTT infrastructure using TLS security.