>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-39Process Isolation

LI-SaaS
Low
Moderate
High

>Control Description

Maintain a separate execution domain for each executing system process.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces.

Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.

>Cross-Framework Mappings

SCF

SEA-04
Compare

>Programmatic Queries

Beta

Related Services

Amazon ECS
Amazon EKS
AWS Firecracker/Lambda

CLI Commands

List ECS tasks with networking mode (isolation)
aws ecs list-tasks --cluster CLUSTER_NAME --query 'taskArns'
Describe ECS task definitions for container isolation
aws ecs describe-task-definition --task-definition TASK_DEF --query 'taskDefinition.{NetworkMode:networkMode,PidMode:pidMode,IpcMode:ipcMode}'
List EKS cluster security configuration
aws eks describe-cluster --name CLUSTER_NAME --query 'cluster.{KubernetesNetworkConfig:kubernetesNetworkConfig,Logging:logging}'
Get Lambda function isolation config (VPC, runtime)
aws lambda get-function-configuration --function-name FUNC_NAME --query '{Runtime:Runtime,VpcConfig:VpcConfig,Architectures:Architectures}'
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of process isolation?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-39?

Technical Implementation:

  • How is process isolation technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that process isolation remains effective as the system evolves?
  • How is separation of duties or partitioning technically enforced?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-39?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?

Ask AI

Configure your API key to use AI features.