NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-24Fail in Known State

Fail to a {{ insert: param, sc-24_odp.02 }} for the following failures on the indicated components while preserving {{ insert: param, sc-24_odp.03 }} in failure: {{ insert: param, sc-24_odp.01 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes.

Practitioner Notes

When a system fails (crash, hardware fault, attack), it must fail into a known, secure state rather than an unpredictable state that might expose data or disable security controls.

Example 1: Configure your web servers to display a generic error page on failure rather than detailed stack traces or debug information. The custom error page gives users a support contact without revealing system internals to an attacker.

Example 2: Set your firewall to fail-closed mode. If the inspection engine crashes, the firewall blocks all traffic rather than passing it through uninspected. This ensures a failure does not create a window where traffic flows unmonitored.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability