SC-29

Requirement

Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components].

Discussion

Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and communications protection policy; system design documentation; system configuration settings and associated documentation; list of technologies deployed in the system; acquisition documentation; acquisition contracts for system components or services; system security plan; other relevant documents or records].

Interview

[SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with system acquisition, development, and implementation responsibilities].

Test

[SELECT FROM: Mechanisms supporting and/or implementing the employment of a diverse set of information technologies].

ID	Assessment Objectives
SC-29	a diverse set of information technologies is employed for <SC-29_ODP system components> in the implementation of the system.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!