NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-10(3)Predictable Behavior

Verify that the system behaves in a predictable and documented manner when invalid inputs are received.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

A common vulnerability in organizational systems is unpredictable behavior when invalid inputs are received. Verification of system predictability helps ensure that the system behaves as expected when invalid inputs are received. This occurs by specifying system responses that allow the system to transition to known states without adverse, unintended side effects. The invalid inputs are those related to the information inputs defined by the organization in the base control ( [SI-10](#si-10)).

Practitioner Notes

Your system should behave predictably when it receives invalid input — always producing the same response to the same invalid input, not crashing or behaving erratically.

Example 1: Test your applications with fuzzing tools (like OWASP ZAP's fuzzer) that send random and malformed input. The application should consistently return appropriate error messages without crashing, hanging, or exposing stack traces.

Example 2: Implement consistent error handling in your code that catches all exceptions from input processing and returns a standardized error response. Never let unhandled exceptions reach the user — they should see a generic error page, not a debug dump.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status