NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-32(1)Separate Physical Domains for Privileged Functions

Partition privileged functions into separate physical domains.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Privileged functions that operate in a single physical domain may represent a single point of failure if that domain becomes compromised or experiences a denial of service.

Practitioner Notes

Use physically separate hardware for privileged functions so that administrative capabilities are completely isolated from regular user environments.

Example 1: Deploy dedicated Privileged Access Workstations (PAWs) on physically separate hardware for domain administration. These machines are not used for email, web browsing, or any non-administrative task. They sit on a separate management network.

Example 2: Run your domain controllers on dedicated physical servers (not shared virtualization hosts with regular VMs). If an attacker compromises a regular VM host, they cannot access the hypervisor running your domain controllers.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability