SC-3(2)

Requirement

Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions.

Discussion

Security function isolation occurs because of implementation. The functions can still be scanned and monitored. Security functions that are potentially isolated from access and flow control enforcement functions include auditing, intrusion detection, and malicious code protection functions.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and communications protection policy; procedures addressing security function isolation; list of critical security functions; system design documentation; system configuration settings and associated documentation; system audit records system security plan; other relevant documents or records].

Interview

[SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer].

Test

[SELECT FROM: Isolation of security functions enforcing access and information flow control].

ID	Assessment Objectives
SC-03(02)[01]	security functions enforcing access control are isolated from non-security functions;
SC-03(02)[02]	security functions enforcing access control are isolated from other security functions;
SC-03(02)[03]	security functions enforcing information flow control are isolated from non-security functions;
SC-03(02)[04]	security functions enforcing information flow control are isolated from other security functions.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!