NIST 800-53 r5 · Controls catalogue · Family SI
SI-23Information Fragmentation
Based on {{ insert: param, si-23_odp.01 }}: Fragment the following information: {{ insert: param, si-23_odp.02 }} ; and Distribute the fragmented information across the following systems or system components: {{ insert: param, si-23_odp.03 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (7)
- T1070 Indicator Removal Stealth
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1119 Automated Collection Collection
- T1565 Data Manipulation Impact
- T1565.001 Stored Data Manipulation Impact
- T1685.005 Clear Windows Event Logs Defense Impairment
- T1685.006 Clear Linux or Mac System Logs Defense Impairment
Weaknesses this control addresses (4)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Fragmentation across systems ensures that exposure from any single component yields only incomplete information, directly reducing the impact of unauthorized disclosure. |
CWE-284 | Improper Access Control | 4,832 | Compromise of access control on any one system or component still leaves an attacker with only a useless fragment, limiting the practical exploitability of the weakness. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | Distributing fragments into separate spheres means a resource leak or exposure on one system does not place the full sensitive information into the wrong sphere. |
CWE-922 | Insecure Storage of Sensitive Information | 421 | Storing information as fragments on distinct components is an architectural control that avoids insecure single-location storage of the complete sensitive data set. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||