NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-50Software-enforced Separation and Policy Enforcement

Implement software-enforced separation and policy enforcement mechanisms between {{ insert: param, sc-50_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

System owners may require additional strength of mechanism to ensure domain separation and policy enforcement for specific types of threats and environments of operation.

Practitioner Notes

Use software-enforced separation and policy enforcement as a complement to (or substitute for) hardware enforcement when hardware solutions are not available.

Example 1: Use SELinux or AppArmor on Linux servers to enforce mandatory access control policies. These kernel security modules restrict what files, network ports, and system calls each process can access, regardless of the process's user permissions.

Example 2: Deploy Windows Defender Application Control (WDAC) to enforce code integrity policies. Only signed, approved executables can run. Even if an attacker gains administrative access, they cannot run unsigned malicious binaries because the kernel-enforced policy blocks them.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability