NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(13)Isolation of Security Tools, Mechanisms, and Support Components

Isolate {{ insert: param, sc-07.13_odp }} from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Physically separate subnetworks with managed interfaces are useful in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques employed by organizations.

Practitioner Notes

Security tools — SIEM, vulnerability scanners, forensic workstations — should be on their own isolated network segment. If an attacker compromises your production environment, they should not be able to reach and disable your security monitoring.

Example 1: Place your SIEM (Splunk, Sentinel), vulnerability scanner (Nessus/ACAS), and network monitoring tools on a dedicated management VLAN. Only security team workstations can access this VLAN, and firewall rules prevent any production system from initiating connections to the security tools.

Example 2: Store security tool backups and configuration files on a separate storage system that is not accessible from the production network. If an attacker wipes production servers, your SIEM data and security baselines remain intact for forensic investigation.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability