SC-30(2): Randomness

Threats Addressed:


(Not part of any baseline)

Previous Version:

Control Statement

Employ [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.

Supplemental Guidance

Randomness introduces increased levels of uncertainty for adversaries regarding the actions that organizations take to defend their systems against attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations that support critical missions or business functions. Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques that involve randomness include performing certain routine actions at different times of day, employing different information technologies, using different suppliers, and rotating roles and responsibilities of organizational personnel.