Employ physical isolation techniques or logical isolation techniques or both in organizational systems and system components.
A mix of physical and logical isolation techniques (described below) implemented as part of the system architecture can limit the unauthorized flow of CUI, reduce the system attack surface, constrain the number of system components that must be secure, and impede the movement of an adversary. When implemented with a set of managed interfaces, physical and logical isolation techniques for organizational systems and components can isolate CUI into separate security domains where additional protections can be implemented. Any communications across the managed interfaces (i.e., across security domains), including for management or administrative purposes, constitutes remote access even if the communications remain within the organization. Separating system components with boundary protection mechanisms allows for the increased protection of individual components and more effective control of information flows between those components. This enhanced protection limits the potential harm from and susceptibility to hostile cyber-attacks and errors. The degree of isolation can vary depending on the boundary protection mechanisms selected. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization and micro-virtualization techniques; encrypting information flows among system components using distinct encryption keys; cross-domain devices separating subnetworks; and complete physical separation (i.e., air gaps).
System architectures include logical isolation, partial physical and logical isolation, or complete physical isolation between subsystems and at system boundaries between resources that store, process, transmit, or protect CUI and other resources. Examples include:
- Logical isolation: Data tagging, digital rights management (DRM), and data loss prevention (DLP) that tags, monitors, and restricts the flow of CUI; virtual machines or containers that separate CUI and other information on hosts; and virtual local area networks (VLAN) that keep CUI and other information separate on networks.
- Partial physical and logical isolation: Physically or cryptographically isolated networks, dedicated hardware in data centers, and secure clients that (a) may not directly access resources outside of the domain (i.e., all applications with cross-enclave connectivity execute as remote virtual applications hosted in a demilitarized zone [DMZ] or internal and protected enclave), (b) access via remote virtualized applications or virtual desktop with no file transfer capability other than with dual authorization, or (c) employ dedicated client hardware (e.g., a zero or thin client) or hardware approved for multi-level secure (MLS) usage.
- Complete physical isolation: Dedicated (not shared) client and server hardware; physically isolated, stand-alone enclaves for clients and servers; and (a) logically separate network traffic (e.g., using a VLAN) with end-to-end encryption using Public Key Infrastructure (PKI)-based cryptography or (b) physical isolation from other networks.
Isolation techniques are selected based on a risk management perspective that balances the threat, the information being protected, and the cost of the options for protection. Architectural and design decisions are guided and informed by the security requirements and selected solutions. Organizations consider the trustworthiness of the isolation techniques employed (e.g., the logical isolation relies on information technology that could be considered a high value target because of the function being performed), introducing its own set of vulnerabilities.
[NIST SP 800-160-1] provides guidance on developing trustworthy, secure, and cyber resilient systems using systems security engineering practices and security design concepts.
For this requirement, organizations must identify the systems or enclaves that need to be isolated, then design and implement the isolation. The resulting isolation solutions are documented or referenced in the SSP. Documentation will be dependent on the design selected and may include a high level diagram, but specific details that may change on some frequency would be omitted. During an assessment, providing details such as subnet and VLAN implementation identifiers, internal boundary protection hardware and software, interface device functionality, and system configuration and Access Control List (ACL) settings will be useful.
You are responsible for information security in your organization, which holds and processes CUI. You have decided to isolate the systems processing CUI by limiting all communications in and out that enclave with cross-domain interface devices that implement access control [a]. Your security team has identified all the systems containing such CUI, documented network design details, developed network diagrams showing access control points, documented the logic for the access control enforcement decisions, described the interface and protocol to the identification and authentication mechanisms, and documented all details associated with the ACLs, including review, updates, and credential revocation procedures.
Potential Assessment Considerations
- Has the organization clearly identified where they use physical, logical, or both isolation techniques [a]?
- Can the organization describe the isolation techniques they have employed [a]?
- Has the organization deployed subnetting, internal firewalls, and VLANs to control packet flow between internal segments [a]?
- Does the organization employ metadata to inform isolation techniques [a]?