SC-30: Concealment And Misdirection
Control Family:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
N/A
- High
N/A
Next Version:
- NIST Special Publication 800-53 Revision 5:
- SC-30: Concealment and Misdirection
Control Statement
The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries.
Supplemental Guidance
Concealment and misdirection techniques can significantly reduce the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber attacks. For example, virtualization techniques provide organizations with the ability to disguise information systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. Increased use of concealment/misdirection techniques including, for example, randomness, uncertainty, and virtualization, may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment/misdirection techniques may also provide organizations additional time to successfully perform core missions and business functions. Because of the time and effort required to support concealment/misdirection techniques, it is anticipated that such techniques would be used by organizations on a very limited basis.
Control Enhancements
SC-30(2): Randomness
Baseline(s):
The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.
SC-30(3): Change Processing / Storage Locations
Baseline(s):
The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]].
SC-30(4): Misleading Information
Baseline(s):
The organization employs realistic, but misleading information in [Assignment: organization-defined information system components] with regard to its security state or posture.
SC-30(5): Concealment Of System Components
Baseline(s):
The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components].