NIST 800-171 • LEVEL 2 • SYSTEM AND COMMUNICATIONS PROTECTION

3.13.4Information in Shared System Resources

Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, the control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted, covert channels (including storage and timing channels) in which shared system resources are manipulated to violate information flow restrictions, or components within systems for which there are only single users or roles.

CMMC Practice Mapping

NIST 800-53 Controls

SC-2

Assessment Objectives

  • unauthorized information transfer via shared system resources is prevented.
  • unintended information transfer via shared system resources is prevented.

Practitioner Notes

When users or processes share system resources -- like memory, disk space, or temp directories -- there is a risk that leftover data from one user could be accessible to the next. This practice says you need to prevent that kind of data leakage.

Example 1: Enable the GPO setting Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Shutdown: Clear virtual memory pagefile to ensure the pagefile is wiped at shutdown. This prevents sensitive data fragments from persisting in virtual memory between sessions.

Example 2: On shared workstations or terminal servers, configure Disk Cleanup policies or use the GPO Delete user profiles older than a specified number of days on system restart (under Computer Configuration > Administrative Templates > System > User Profiles). This ensures temp files and cached data from previous user sessions are removed.

Related NIST 800-171 Requirements

3.13.1 Boundary Protection 3.13.2 Employ Architectural Designs, Software Development Techniques, and Systems Engineering Principles That Promote Effective Information Security 3.13.3 Separate User Functionality from System Management Functionality 3.13.5 Implement Subnetworks for Publicly Accessible System Components That Are Physically or Logically Separated from Internal Networks