Navigate

SC-30 (4)

SC-30 (4): Misleading Information

The organization employs realistic, but misleading information in [Assignment: organization-defined information system components] with regard to its security state or posture.

Supplemental

This control enhancement misleads potential adversaries regarding the nature and extent of security safeguards deployed by organizations. As a result, adversaries may employ incorrect (and as a result ineffective) attack techniques. One way of misleading adversaries is for organizations to place misleading information regarding the specific security controls deployed in external information systems that are known to be accessed or targeted by adversaries. Another technique is the use of deception nets (e.g., honeynets, virtualized environments) that mimic actual aspects of organizational information systems but use, for example, out-of-date software configurations.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SC-30 (4).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of SC-30 (4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SC-30 (4).

CCI	Definition
CCI-002493	The organization defines the information system components in which it will employ realistic but misleading information regarding its security state or posture.
CCI-002494	The organization employs realistic, but misleading, information in organization-defined information system components with regard to its security state or posture.