SC.3.182

Control Acronym

SC

Family

System And Communications Protection

CMMC Level

3

800-171 Control #

3.13.4

CMMC Description

Prevent unauthorized and unintended information transfer via shared system resources.

CMMC Clarification

No shared system resource such as cache memory, hard disks, registers, or main memory should be able to pass information from one user to another user. In other words, when objects are reused no residual information should exist on that object. This protects the confidentiality of the information. This is typically a feature provided by operating system and software vendors. Example You are the system administrator for your company. You are creating the system hardening procedures for your company’s computers. To prevent unauthorized and unintended information transfer via shared resources, you include in your procedures steps to verify the operating system is configured correctly. You examine the Computer Configuration policies in the operating system and verify the settings match those documented in the hardening procedures.

800-171 Description

Prevent unauthorized and unintended information transfer via shared system resources.

800-171 Discussion

The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-4

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.13.4

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

SC.3.182.[a] unauthorized and unintended information transfer via shared system resources is prevented.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15