NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-34(1)No Writable Storage

Employ {{ insert: param, sc-34.01_odp }} with no writeable storage that is persistent across component restart or power on/off.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Disallowing writeable storage eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated system components. The restriction applies to fixed and removable storage, with the latter being addressed either directly or as specific restrictions imposed through access controls for mobile devices.

Practitioner Notes

Configure systems with no writable storage for the operating system and applications — all executable code comes from read-only sources.

Example 1: Deploy diskless workstations that PXE boot from a network server. The OS image is read-only on the server. Users save data to network shares, but the operating system itself cannot be permanently modified.

Example 2: Use immutable container images in Docker/Kubernetes. The container image is read-only at runtime. If an attacker modifies files inside the container, restarting it restores the original image. Persistent data is stored only in explicitly mounted volumes.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability