SC-30: Concealment and Misdirection
Control Family:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
N/A
- High
N/A
- Privacy
N/A
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SC-30: Concealment And Misdirection
Control Statement
Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques].
Supplemental Guidance
Concealment and misdirection techniques can significantly reduce the targeting capabilities of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. For example, virtualization techniques provide organizations with the ability to disguise systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. The increased use of concealment and misdirection techniques and methods-including randomness, uncertainty, and virtualization-may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment and misdirection techniques may provide additional time to perform core mission and business functions. The implementation of concealment and misdirection techniques may add to the complexity and management overhead required for the system.
Control Enhancements
SC-30(2): Randomness
Baseline(s):
Employ [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.
SC-30(3): Change Processing and Storage Locations
Baseline(s):
Change the location of [Assignment: organization-defined processing and/or storage] [Assignment: [Assignment: organization-defined time frequency] , at random time intervals]].
SC-30(4): Misleading Information
Baseline(s):
Employ realistic, but misleading information in [Assignment: organization-defined system components] about its security state or posture.
SC-30(5): Concealment of System Components
Baseline(s):
Employ the following techniques to hide or conceal [Assignment: organization-defined system components]: [Assignment: organization-defined techniques].