SC-03 Security Function Isolation
Isolate security functions from nonsecurity functions.
Baselines
- L
- M
- H
- P
Guidance
Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in SA-8 , including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14) , and SA-8(18).
Control Enhancements 5
- SC-03(01) Hardware Separation L M H P
- SC-03(02) Access and Flow Control Functions L M H P
- SC-03(03) Minimize Nonsecurity Functionality L M H P
- SC-03(04) Module Coupling and Cohesiveness L M H P
- SC-03(05) Layered Structures L M H P
Related controls 15
- AC-03 Access Enforcement L M H P
- AC-06 Least Privilege L M H P
- AC-25 Reference Monitor L M H P
- CM-02 Baseline Configuration L M H P
- CM-04 Impact Analyses L M H P
- SA-04 Acquisition Process L M H P
- SA-05 System Documentation L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-15 Development Process, Standards, and Tools L M H P
- SA-17 Developer Security and Privacy Architecture and Design L M H P
- SC-02 Separation of System and User Functionality L M H P
- SC-07 Boundary Protection L M H P
- SC-32 System Partitioning L M H P
- SC-39 Process Isolation L M H P
- SI-16 Memory Protection L M H P