SC-30(2)—Randomness
>Control Description
Employ ⚙organization-defined techniques to introduce randomness into organizational operations and assets.
>Cross-Framework Mappings
>Supplemental Guidance
Randomness introduces increased levels of uncertainty for adversaries regarding the actions that organizations take to defend their systems against attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations that support critical missions or business functions. Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks.
Misdirection techniques that involve randomness include performing certain routine actions at different times of day, employing different information technologies, using different suppliers, and rotating roles and responsibilities of organizational personnel.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of randomness?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-30(2)?
Technical Implementation:
- •How is randomness technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that randomness remains effective as the system evolves?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-30(2)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
Ask AI
Configure your API key to use AI features.