Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >System And Information Integrity
  4. >SP800-53-SI-20
SP800-53-SI-20Active

Tainting

Statement

Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: systems or system components.

Location

Control Family
System and Information Integrity

Control Details

Identifier
SP800-53-SI-20
Family
SI

Organisation-Defined Parameters

si-20_odp
systems or system components

Supplemental Guidance

Many cyber-attacks target organizational information, or information that the organization holds on behalf of other entities (e.g., personally identifiable information), and exfiltrate that data. In addition, insider attacks and erroneous user procedures can remove information from the system that is in violation of the organizational policies. Tainting approaches can range from passive to active. A passive tainting approach can be as simple as adding false email names and addresses to an internal database. If the organization receives email at one of the false email addresses, it knows that the database has been compromised. Moreover, the organization knows that the email was sent by an unauthorized entity, so any packets it includes potentially contain malicious code, and that the unauthorized entity may have potentially obtained a copy of the database. Another tainting approach can include embedding false data or steganographic data in files to enable the data to be found via open-source analysis. Finally, an active tainting approach can include embedding software in the data that is able to "call home," thereby alerting the organization to its "capture," and possibly its location, and the path by which it was exfiltrated or removed.

Assessment Objective

data or capabilities are embedded in systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization.

No cross-framework mappings available

← Back to System and Information Integrity
System and Information Integrity119 controls
SP800-53-SI-1Policy and ProceduresSP800-53-SI-2Flaw RemediationSP800-53-SI-2(1)Central ManagementSP800-53-SI-2(2)Automated Flaw Remediation StatusSP800-53-SI-2(3)Time to Remediate Flaws and Benchmarks for Corrective ActionsSP800-53-SI-2(4)Automated Patch Management ToolsSP800-53-SI-2(5)Automatic Software and Firmware UpdatesSP800-53-SI-2(6)Removal of Previous Versions of Software and FirmwareSP800-53-SI-2(7)Root Cause AnalysisSP800-53-SI-3Malicious Code ProtectionSP800-53-SI-3(1)Central ManagementSP800-53-SI-3(2)Automatic UpdatesSP800-53-SI-3(3)Non-privileged UsersSP800-53-SI-3(4)Updates Only by Privileged UsersSP800-53-SI-3(5)Portable Storage DevicesSP800-53-SI-3(6)Testing and VerificationSP800-53-SI-3(7)Nonsignature-based DetectionSP800-53-SI-3(8)Detect Unauthorized CommandsSP800-53-SI-3(9)Authenticate Remote CommandsSP800-53-SI-3(10)Malicious Code AnalysisSP800-53-SI-4System MonitoringSP800-53-SI-4(1)System-wide Intrusion Detection SystemSP800-53-SI-4(2)Automated Tools and Mechanisms for Real-time AnalysisSP800-53-SI-4(3)Automated Tool and Mechanism IntegrationSP800-53-SI-4(4)Inbound and Outbound Communications TrafficSP800-53-SI-4(5)System-generated AlertsSP800-53-SI-4(6)Restrict Non-privileged UsersSP800-53-SI-4(7)Automated Response to Suspicious EventsSP800-53-SI-4(8)Protection of Monitoring InformationSP800-53-SI-4(9)Testing of Monitoring Tools and MechanismsSP800-53-SI-4(10)Visibility of Encrypted CommunicationsSP800-53-SI-4(11)Analyze Communications Traffic AnomaliesSP800-53-SI-4(12)Automated Organization-generated AlertsSP800-53-SI-4(13)Analyze Traffic and Event PatternsSP800-53-SI-4(14)Wireless Intrusion DetectionSP800-53-SI-4(15)Wireless to Wireline CommunicationsSP800-53-SI-4(16)Correlate Monitoring InformationSP800-53-SI-4(17)Integrated Situational AwarenessSP800-53-SI-4(18)Analyze Traffic and Covert ExfiltrationSP800-53-SI-4(19)Risk for IndividualsSP800-53-SI-4(20)Privileged UsersSP800-53-SI-4(21)Probationary PeriodsSP800-53-SI-4(22)Unauthorized Network ServicesSP800-53-SI-4(23)Host-based DevicesSP800-53-SI-4(24)Indicators of CompromiseSP800-53-SI-4(25)Optimize Network Traffic AnalysisSP800-53-SI-5Security Alerts, Advisories, and DirectivesSP800-53-SI-5(1)Automated Alerts and AdvisoriesSP800-53-SI-6Security and Privacy Function VerificationSP800-53-SI-6(1)Notification of Failed Security TestsSP800-53-SI-6(2)Automation Support for Distributed TestingSP800-53-SI-6(3)Report Verification ResultsSP800-53-SI-7Software, Firmware, and Information IntegritySP800-53-SI-7(1)Integrity ChecksSP800-53-SI-7(2)Automated Notifications of Integrity ViolationsSP800-53-SI-7(3)Centrally Managed Integrity ToolsSP800-53-SI-7(4)Tamper-evident PackagingSP800-53-SI-7(5)Automated Response to Integrity ViolationsSP800-53-SI-7(6)Cryptographic ProtectionSP800-53-SI-7(7)Integration of Detection and ResponseSP800-53-SI-7(8)Auditing Capability for Significant EventsSP800-53-SI-7(9)Verify Boot ProcessSP800-53-SI-7(10)Protection of Boot FirmwareSP800-53-SI-7(11)Confined Environments with Limited PrivilegesSP800-53-SI-7(12)Integrity VerificationSP800-53-SI-7(13)Code Execution in Protected EnvironmentsSP800-53-SI-7(14)Binary or Machine Executable CodeSP800-53-SI-7(15)Code AuthenticationSP800-53-SI-7(16)Time Limit on Process Execution Without SupervisionSP800-53-SI-7(17)Runtime Application Self-protectionSP800-53-SI-8Spam ProtectionSP800-53-SI-8(1)Central ManagementSP800-53-SI-8(2)Automatic UpdatesSP800-53-SI-8(3)Continuous Learning CapabilitySP800-53-SI-9Information Input RestrictionsSP800-53-SI-10Information Input ValidationSP800-53-SI-10(1)Manual Override CapabilitySP800-53-SI-10(2)Review and Resolve ErrorsSP800-53-SI-10(3)Predictable BehaviorSP800-53-SI-10(4)Timing InteractionsSP800-53-SI-10(5)Restrict Inputs to Trusted Sources and Approved FormatsSP800-53-SI-10(6)Injection PreventionSP800-53-SI-11Error HandlingSP800-53-SI-12Information Management and RetentionSP800-53-SI-12(1)Limit Personally Identifiable Information ElementsSP800-53-SI-12(2)Minimize Personally Identifiable Information in Testing, Training, and ResearchSP800-53-SI-12(3)Information DisposalSP800-53-SI-13Predictable Failure PreventionSP800-53-SI-13(1)Transferring Component ResponsibilitiesSP800-53-SI-13(2)Time Limit on Process Execution Without SupervisionSP800-53-SI-13(3)Manual Transfer Between ComponentsSP800-53-SI-13(4)Standby Component Installation and NotificationSP800-53-SI-13(5)Failover CapabilitySP800-53-SI-14Non-persistenceSP800-53-SI-14(1)Refresh from Trusted SourcesSP800-53-SI-14(2)Non-persistent InformationSP800-53-SI-14(3)Non-persistent ConnectivitySP800-53-SI-15Information Output FilteringSP800-53-SI-16Memory ProtectionSP800-53-SI-17Fail-safe ProceduresSP800-53-SI-18Personally Identifiable Information Quality OperationsSP800-53-SI-18(1)Automation SupportSP800-53-SI-18(2)Data TagsSP800-53-SI-18(3)CollectionSP800-53-SI-18(4)Individual RequestsSP800-53-SI-18(5)Notice of Correction or DeletionSP800-53-SI-19De-identificationSP800-53-SI-19(1)CollectionSP800-53-SI-19(2)ArchivingSP800-53-SI-19(3)ReleaseSP800-53-SI-19(4)Removal, Masking, Encryption, Hashing, or Replacement of Direct IdentifiersSP800-53-SI-19(5)Statistical Disclosure ControlSP800-53-SI-19(6)Differential PrivacySP800-53-SI-19(7)Validated Algorithms and SoftwareSP800-53-SI-19(8)Motivated IntruderSP800-53-SI-20TaintingSP800-53-SI-21Information RefreshSP800-53-SI-22Information DiversitySP800-53-SI-23Information Fragmentation