NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY
SI-22 — Information Diversity
Identify the following alternative sources of information for {{ insert: param, si-22_odp.02 }}: {{ insert: param, si-22_odp.01 }} ; and Use an alternative information source for the execution of essential functions or services on {{ insert: param, si-22_odp.03 }} when the primary source of information is corrupted or unavailable.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Actions taken by a system service or a function are often driven by the information it receives. Corruption, fabrication, modification, or deletion of that information could impact the ability of the service function to properly carry out its intended actions. By having multiple sources of input, the service or function can continue operation if one source is corrupted or no longer available. It is possible that the alternative sources of information may be less precise or less accurate than the primary source of information. But having such sub-optimal information sources may still provide a sufficient level of quality that the essential service or function can be carried out, even in a degraded or debilitated manner.
Practitioner Notes
Use diverse information sources to reduce the risk of relying on a single source that could be compromised, inaccurate, or manipulated.
Example 1: Subscribe to multiple threat intelligence feeds from different providers (CISA, commercial feeds, industry ISACs). Cross-reference indicators across sources — an IOC confirmed by multiple independent sources is much more reliable than one seen in only a single feed.
Example 2: For critical business decisions based on data, verify the data from at least two independent sources before acting. If a vulnerability scan shows a critical finding, confirm it with a manual check or a second scanning tool before declaring an emergency.