NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-30(2)Randomness

Employ {{ insert: param, sc-30.02_odp }} to introduce randomness into organizational operations and assets.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Randomness introduces increased levels of uncertainty for adversaries regarding the actions that organizations take to defend their systems against attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations that support critical missions or business functions. Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques that involve randomness include performing certain routine actions at different times of day, employing different information technologies, using different suppliers, and rotating roles and responsibilities of organizational personnel.

Practitioner Notes

Introduce randomness into your system configurations and operations to defeat attackers who rely on predictable patterns.

Example 1: Enable Address Space Layout Randomization (ASLR) on all systems. ASLR randomizes memory addresses so buffer overflow exploits cannot reliably predict where code and data are located. On Windows, ASLR is enabled by default — verify it has not been disabled.

Example 2: Randomize scheduled task timing. Instead of running security scans at exactly midnight, add a random 0-60 minute jitter. This makes it harder for an attacker to predict when your defenses are performing scans and time their activities to avoid detection.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability