NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-10(6)Injection Prevention

Prevent untrusted data injections.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Untrusted data injections may be prevented using a parameterized interface or output escaping (output encoding). Parameterized interfaces separate data from code so that injections of malicious or unintended data cannot change the semantics of commands being sent. Output escaping uses specified characters to inform the interpreter’s parser whether data is trusted. Prevention of untrusted data injections are with respect to the information inputs defined by the organization in the base control ( [SI-10](#si-10)).

Practitioner Notes

Specifically prevent injection attacks — SQL injection, command injection, LDAP injection, XSS — through rigorous input sanitization.

Example 1: Use parameterized queries (prepared statements) for all database operations. Never concatenate user input into SQL strings. In C# use SqlParameter, in Java use PreparedStatement, in Python use parameterized queries with your database library.

Example 2: Deploy a WAF with injection prevention rules (OWASP ModSecurity Core Rule Set) in front of your web applications. The WAF inspects input for SQL injection, XSS, and command injection patterns and blocks them before they reach your application code.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status