NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY
SI-23 — Information Fragmentation
Based on {{ insert: param, si-23_odp.01 }}: Fragment the following information: {{ insert: param, si-23_odp.02 }} ; and Distribute the fragmented information across the following systems or system components: {{ insert: param, si-23_odp.03 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
One objective of the advanced persistent threat is to exfiltrate valuable information. Once exfiltrated, there is generally no way for the organization to recover the lost information. Therefore, organizations may consider dividing the information into disparate elements and distributing those elements across multiple systems or system components and locations. Such actions will increase the adversary’s work factor to capture and exfiltrate the desired information and, in so doing, increase the probability of detection. The fragmentation of information impacts the organization’s ability to access the information in a timely manner. The extent of the fragmentation is dictated by the impact or classification level (and value) of the information, threat intelligence information received, and whether data tainting is used (i.e., data tainting-derived information about the exfiltration of some information could result in the fragmentation of the remaining information).
Practitioner Notes
Information fragmentation splits sensitive data across multiple systems or locations so that compromising any single system does not give the attacker the complete dataset.
Example 1: Store different elements of sensitive records in different databases. Customer names in one database, account numbers in another, and transaction details in a third. An attacker who compromises one database gets only a fragment of the complete record.
Example 2: Use Shamir's Secret Sharing to split encryption master keys across multiple key custodians. No single person has the complete key. Reconstruction requires a minimum number of custodians (e.g., 3 of 5) to contribute their key fragments simultaneously.