Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system:
a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
b. Reveals error messages only to [Assignment: organization-defined personnel or roles].
NIST 800-53 (r4) Supplemental Guidance:
Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information. Related controls: AU-2, AU-3, SC-31.
NIST 800-53 (r5) Discussion:
Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.
38North Guidance:
Meets Minimum Requirement:
Ensure the system generates error messages and codes that provide information necessary for corrective actions without revealing information that could be exploited by adversary, such as stack traces and source code information.
Ensure error messages are only presented to those personnel approved to view them and that only the necessary information is published in the errors.
Audit logs and memory dumps must not include passwords and must be encrypted in accordance with SC-28 (1) requirements.
Best Practice:
OWASP cheat sheets: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
Unofficial FedRAMP Guidance: None
Assessment Evidence:
System-generated error messages and codes showing they provide information necessary for corrective actions without revealing information that could be exploited by adversary (e.g., screenshots).
System-generated error messages and codes generated for different types of privileged and non-privileged users to ensure informational error messages are only revealed to defined/authorized personnel or roles (e.g., screenshots and demos).
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse