SI-10(6)—Information Input Validation | Injection Prevention
IL5
IL6
>Control Description
Prevent untrusted data injections.
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Untrusted data injections may be prevented using a parameterized interface or output escaping (output encoding). Parameterized interfaces separate data from code so that injections of malicious or unintended data cannot change the semantics of commands being sent. Output escaping uses specified characters to inform the interpreter's parser whether data is trusted.
Prevention of untrusted data injections are with respect to the information inputs defined by the organization in the base control (SI-10).
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies and procedures govern injection prevention?
- •Who is responsible for monitoring system and information integrity?
- •How frequently are integrity monitoring processes reviewed and updated?
Technical Implementation:
- •What technical controls detect and respond to injection prevention issues?
- •How are integrity violations identified and reported?
- •What automated tools support system and information integrity monitoring?
- •What anti-malware solutions are deployed and how are they configured?
Evidence & Documentation:
- •Can you provide recent integrity monitoring reports or alerts?
- •What logs demonstrate that SI-10(6) is actively implemented?
- •Where is evidence of integrity monitoring maintained and for how long?
- •Can you show recent malware detection reports and response actions?
Ask AI
Configure your API key to use AI features.