SC-30(4)

Requirement

Employ realistic, but misleading information in [Assignment: organization-defined system components] about its security state or posture.

Discussion

Employing misleading information is intended to confuse potential adversaries regarding the nature and extent of controls deployed by organizations. Thus, adversaries may employ incorrect and ineffective attack techniques. One technique for misleading adversaries is for organizations to place misleading information regarding the specific controls deployed in external systems that are known to be targeted by adversaries. Another technique is the use of deception nets that mimic actual aspects of organizational systems but use, for example, out-of-date software configurations.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and communications protection policy; configuration management policy and procedures; procedures addressing concealment and misdirection techniques for the system; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records].

Interview

[SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with the responsibility to define and employ realistic but misleading information about the security posture of system components].

Test

[SELECT FROM: Mechanisms supporting and/or implementing the employment of realistic but misleading information about the security posture of system components].

ID	Assessment Objectives
SC-30(04)	realistic but misleading information about the security state or posture of <SC-30(04)_ODP system components> is employed.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!