Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization responds to information spills by:
a. Identifying the specific information involved in the information system contamination;
b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
c. Isolating the contaminated information system or system component;
d. Eradicating the information from the contaminated information system or component;
e. Identifying other information systems or system components that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions].
NIST 800-53 (r4) Supplemental Guidance:
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.
References: None.
NIST 800-53 (r5) Discussion:
Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.
38North Guidance:
Meets Minimum Requirement:
The organization has identified the personnel that will be alerted when an information spill has occurred.
The organization has developed the procedures to be taken (including those in parts b through e) when an information spill has occurred, such as initiating contingency procedures, saving components to perform forensic analysis, etc.
Best Practice: None.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
List of personnel that will be alerted when an information spill has occurred
Artifact (e.g. email, text, alert) showing that personnel have been alerted, if an information spill has occurred
Artifact showing the details that are collected to be able to identify and respond to an information spill
SOP detailing the process for how information spills should be isolated and eradicated
System data flows to help identify if information spillage could have contaminated other information systems or system components (i.e. follow the data)
After-action reports for recent information spillage events which contain details about the information spill and what actions were taken.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse