NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-15Information Output Filtering

Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: {{ insert: param, si-15_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Certain types of attacks, including SQL injections, produce output results that are unexpected or inconsistent with the output results that would be expected from software programs or applications. Information output filtering focuses on detecting extraneous content, preventing such extraneous content from being displayed, and then alerting monitoring tools that anomalous behavior has been discovered.

Practitioner Notes

Filter the output of your systems to prevent sensitive information from being inadvertently disclosed in system outputs — reports, screens, error messages, and data exports.

Example 1: Configure your applications to mask sensitive data in output displays. Show only the last four digits of SSNs, mask credit card numbers except the last four digits, and redact passwords in log files. Never display full sensitive data unless the user specifically requests it.

Example 2: Use Microsoft Purview DLP policies to scan outbound emails and file shares for sensitive data patterns. If a report containing unmasked SSNs is attached to an email, the DLP policy blocks the send and notifies the user to redact the data first.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status