SI-11

System and Information IntegrityRev 5system

Error Handling

Baselines:ModerateHigh

Control Statement

a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: personnel or roles].

Supplemental Guidance

Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.

Related Controls (5)

AU-2 AU-3 SC-31 SI-2 SI-15

CCI Identifiers (5)

CCI-001311The information system identifies potentially security-relevant error conditions.CCI-001312Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited.CCI-001313The organization defines sensitive or potentially harmful information that should not be contained in error logs and administrative messages.CCI-001314Reveal error messages only to organization-defined personnel or roles.CCI-002759Defines the personnel or roles to whom error messages are to be revealed.

Linked STIG Checks (200)

Across 75 STIGs. Click to expand.