SC-30(2): Randomness

Threats Addressed:


(Not part of any baseline)

Next Version:

Control Statement

The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.

Supplemental Guidance

Randomness introduces increased levels of uncertainty for adversaries regarding the actions organizations take in defending against cyber attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations supporting critical missions/business functions. Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques involving randomness include, for example, performing certain routine actions at different times of day, employing different information technologies (e.g., browsers, search engines), using different suppliers, and rotating roles and responsibilities of organizational personnel.