Navigate

CCI-001314

CCI-001314 Definition

Reveal error messages only to organization-defined personnel or roles.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Determine if error messages are revealed only to [SI-11_ODP; personnel or roles to whom error messages are to be revealed is/are defined].

Validation Procedures

Examine: [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system error handling; system design documentation; system configuration settings and associated documentation; documentation providing the structure and content of error messages; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel responsible for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer]. Test: [SELECT FROM: Organizational processes for error handling; automated mechanisms supporting and/or implementing error handling; automated mechanisms supporting and/or implementing the management of error messages].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001314.

Control	Description
SI-11	a: Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b: Reveal error messages only to [personnel or roles to whom error messages are to be revealed is/are defined;].