>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-2Separation of System and User Functionality

Moderate
High

>Control Description

Separate user functionality, including user interface services, from system management functionality.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical.

Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls.

The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8, including SA-8 (1), SA-8 (3), SA-8 (4), SA-8 (10), SA-8 (12), SA-8 (13), SA-8 (14), and SA-8 (18).

>Cross-Framework Mappings

SCF

SEA-03.2
Compare

>Programmatic Queries

Beta

Related Services

VPC
ECS
Lambda

CLI Commands

Check VPC separation
aws ec2 describe-vpcs --query 'Vpcs[*].{Id:VpcId,CIDR:CidrBlock,Tags:Tags}'
List ECS task definitions with isolation
aws ecs list-task-definitions --query 'taskDefinitionArns'
Check Lambda VPC config
aws lambda list-functions --query 'Functions[*].{Name:FunctionName,VPC:VpcConfig.VpcId,Subnets:VpcConfig.SubnetIds}'
List security groups by function
aws ec2 describe-security-groups --query 'SecurityGroups[*].{Id:GroupId,Name:GroupName,Description:Description}'
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of separation of system and user functionality?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-2?

Technical Implementation:

  • How is separation of system and user functionality technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that separation of system and user functionality remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?
  • How is separation of duties or partitioning technically enforced?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-2?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?

Ask AI

Configure your API key to use AI features.