SC-3—Security Function Isolation
>Control Description
>Supplemental Guidance
The information system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from non-security functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes.
For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include non-security functions within the isolation boundary as an exception.
Related controls: AC-3, AC-6, SA-4, SA-5, SA-8, SA-13, SC-2, SC-7, SC-39
>Tailoring Guidance
This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. However, this security control/enhancement cannot be met using readily available COTS components.
Consequently, compliance with this security control/enhancement may be problematic. Note that this security control/enhancement applies at the platform level.
Ask AI
Configure your API key to use AI features.