Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
Reveals error messages only to [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information. Related controls: AU-2, AU-3, SC-31.
Control Enhancements: None.
References: None.
Priority and Baseline Allocation:
P2
LOW Not Selected
MOD SI-11
HIGH SI-11
SI-12 INFORMATION HANDLING AND RETENTION
Control: The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4.
Control Enhancements: None.
References: None.
Priority and Baseline Allocation:
P2
LOW SI-12
MOD SI-12
HIGH SI-12
SI-13 PREDICTABLE FAILURE PREVENTION
Control: The organization:
Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria].
Supplemental Guidance: While MTTF is primarily a reliability issue, this control addresses potential failures of specific information system components that provide security capability. Failure rates reflect installation-specific consideration, not industry-average. Organizations define criteria for substitution of information system components based on MTTF value with consideration for resulting potential harm from component failures. Transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capability (e.g., preservation of state variables). Standby components remain available at all times except for maintenance issues or recovery failures in progress. Related controls: CP-2, CP-10, MA-6.
The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure.
predictable failure prevention | time limit on process execution without supervision
[Withdrawn: Incorporated into SI-7 (16)].
predictable failure prevention | manual transfer between components
The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period].
The organization, if information system component failures are detected:
Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
[Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system].
Supplemental Guidance: Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures.
The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system.
Supplemental Guidance: Failover refers to the automatic switchover to an alternate information system upon the failure of the primary information system. Failover capability includes, for example, incorporating mirrored information system operations at alternate processing sites or periodic data mirroring at regular intervals defined by recovery time periods of organizations.