NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-3(5)Layered Structures

Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The implementation of layered structures with minimized interactions among security functions and non-looping layers (i.e., lower-layer functions do not depend on higher-layer functions) enables the isolation of security functions and the management of complexity.

Practitioner Notes

Security functions should be organized in layers where lower layers never depend on higher layers. This prevents circular dependencies that could be exploited to bypass security.

Example 1: Structure your network security in layers: the hardware firewall at the perimeter (lowest layer) does not depend on the host-based firewall (higher layer). If the host firewall fails, the perimeter firewall still blocks unauthorized traffic independently.

Example 2: In your server builds, the boot integrity check (UEFI Secure Boot at the lowest layer) does not depend on the OS-level antivirus (higher layer). Each layer validates independently, and lower layers are never affected by failures in the layers above them.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability