>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-16(2)Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms

IL5
IL6

>Control Description

Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Some attack vectors operate by altering the security attributes of an information system to intentionally and maliciously implement an insufficient level of security within the system. The alteration of attributes leads organizations to believe that a greater number of security functions are in place and operational than have actually been implemented.

>Kubernetes Implementation Examples

# Block untrusted actors from setting security attribute labels
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: protect-classification-labels
spec:
  matchConstraints:
    resourceRules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      operations: ["CREATE", "UPDATE"]
      resources: ["pods"]
  validations:
  - expression: "!has(object.metadata.labels['data-classification']) || request.userInfo.username == 'system:serviceaccount:policy:labeler'"
    message: "Only the labeler service account can set data-classification."
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: protect-classification-labels
spec:
  policyName: protect-classification-labels
  validationActions: ["Deny"]
Source: SC-16(2): Admission Control for Attribute Anti-Spoofing

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

Kubernetes

>Related Controls

SI-3
SI-4
SI-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of anti-spoofing mechanisms?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-16(2)?

Technical Implementation:

  • How is anti-spoofing mechanisms technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that anti-spoofing mechanisms remains effective as the system evolves?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-16(2)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?

Ask AI

Configure your API key to use AI features.