NIST 800-53 REV 5 • RISK ASSESSMENT
RA-5(4) — Discoverable Information
Determine information about the system that is discoverable and take {{ insert: param, ra-05.04_odp }}.
Supplemental Guidance
Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization.
Practitioner Notes
Discoverable information refers to data about your organization that is publicly available and could help an attacker plan an attack — exposed services, leaked credentials, organizational details, and technical information.
Example 1: Conduct an Open Source Intelligence (OSINT) assessment of your organization. Search for employee email addresses on breach databases (Have I Been Pwned), look for exposed services on Shodan or Censys, and review your DNS records for information leakage. Feed the findings into your risk assessment.
Example 2: Use Microsoft Defender External Attack Surface Management (EASM) to continuously discover and monitor your internet-facing assets. The tool identifies exposed services, expired certificates, and vulnerable components that an attacker could find. Review the dashboard weekly and remediate findings.