NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-39 — Process Isolation
Maintain a separate execution domain for each executing system process.
Supplemental Guidance
Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.
Practitioner Notes
Each process running on your system should be isolated from other processes so that one compromised process cannot read or modify another process's memory and data.
Example 1: Ensure all systems have modern process isolation enabled — ASLR, DEP (Data Execution Prevention), and CFG (Control Flow Guard) on Windows. These are enabled by default on current Windows versions. Verify via GPO that they have not been disabled.
Example 2: In containerized environments, run each application in its own container with minimal privileges. Use seccomp profiles and AppArmor policies to restrict what system calls each container can make. One compromised container cannot access another container's memory or files.