Level 5 CMMC - CMMC Practices

SC.3.182  

Reference: CMMC 1.02

Family: SC

Level Introduced: 3

Practice:
Prevent unauthorized and unintended information transfer via shared system resources.

CMMC Clarification:
No shared system resource such as cache memory, hard disks, registers, or main memory should be able to pass information from one user to another user. In other words, when objects are reused no residual information should exist on that object. This protects the confidentiality of the information. This is typically a feature provided by operating system and software vendors.

Example
You are the system administrator for your company. You are creating the system hardening procedures for your company’s computers. To prevent unauthorized and unintended information transfer via shared resources, you include in your procedures steps to verify the operating system is configured correctly. You examine the Computer Configuration policies in the operating system and verify the settings match those documented in the hardening procedures.

3.13.4

Prevent unauthorized and unintended information transfer via shared system resources.

Discussion:
The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.

Source: NIST Special Publication 800-171 Rev. 2

SC-4

INFORMATION IN SHARED RESOURCES

Description:
The information system prevents unauthorized and unintended information transfer via shared system resources.

Supplemental Guidance:
This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles. Related controls: AC-3, AC-4, MP-6.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02