SC-30(4)—Misleading Information
>Control Description
Employ realistic, but misleading information in ⚙organization-defined system components about its security state or posture.
>Cross-Framework Mappings
>Supplemental Guidance
Employing misleading information is intended to confuse potential adversaries regarding the nature and extent of controls deployed by organizations. Thus, adversaries may employ incorrect and ineffective attack techniques. One technique for misleading adversaries is for organizations to place misleading information regarding the specific controls deployed in external systems that are known to be targeted by adversaries.
Another technique is the use of deception nets that mimic actual aspects of organizational systems but use, for example, out-of-date software configurations.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of misleading information?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-30(4)?
Technical Implementation:
- •How is misleading information technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that misleading information remains effective as the system evolves?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-30(4)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
Ask AI
Configure your API key to use AI features.