Back to Control Explorer
SC.3.181
Content
Control Acronym
SC
Family
System And Communications Protection
CMMC Level
3
800-171 Control #
3.13.3
CMMC Description
Separate user functionality from system management functionality.
CMMC Clarification
Prevent user functionality and services from accessing system management functionality on IT components, e.g., databases, network components, workstations, servers. This reduces the attack surface to those critical interfaces by limiting who can access them and how they can be accessed. This can be achieved through both logical and physical methods using computers, CPUs, operating system, network addresses or a combination of these methods. By separating the user functionality from system management functionality, the administrator or privileged functions are not available to the general user. The intent of this practice is to ensure: * general users are not permitted to perform system adminstation functions * system administrators only perform system administration functions from their privileged account. This can be accomplished using separation like VLANs or logical separation using strong access control methods. Example 1 You are an IT administrator responsible for preventing access to information system management functions for your organization. Your company has a policy stating that system management functionality must be separated from user functionality. To comply with the policy, you provide physical protection by segregating certain functions to separate servers and connect those servers to their own sub-net network. You limit access to the separate servers so only approved system administrators can access them. They use special admin accounts with a different username from their normal accounts to login to these servers.
800-171 Description
Separate user functionality from system management functionality.
800-171 Discussion
System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.
Other Source Discussion
N/A
CIS Control References
CIS Controls v7.1 4.3
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 SC-2
CMMC Derived
NIST CSF Control References
NIST 800-171 References
NIST SP 800-171 Rev 1 3.13.3
Applicable FAR Clause
NIST CSF Control Reference
CERT RMM Reference
CERT RMM v1.2 KIM:SG2.SP2
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
AU ACSC Essential Eight
Sub-Criterias
Assessment Sub-Criteria 1
SC.3.181.[a] user functionality is identified;
Assessment Sub-Criteria 2
SC.3.181.[b] system management functionality is identified; and
Assessment Sub-Criteria 3
SC.3.181.[c] user functionality is separated from system management functionality.