SC-29—Heterogeneity

>Control Description

Employ a diverse set of information technologies for the following system components in the implementation of the system: ⚙organization-defined system components.

>Control Enhancements(1)

SC-29(1)

>Cross-Framework Mappings

SCF

SEA-13

Compare

>Supplemental Guidance

Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks.

An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations.

>Related Controls

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What policies govern the implementation of heterogeneity?
•How are system and communications protection requirements defined and maintained?
•Who is responsible for configuring and maintaining the security controls specified in SC-29?

Technical Implementation:

•How is heterogeneity technically implemented in your environment?
•What systems, tools, or configurations enforce this protection requirement?
•How do you ensure that heterogeneity remains effective as the system evolves?

Evidence & Documentation:

•What documentation demonstrates the implementation of SC-29?
•Can you provide configuration evidence or system diagrams showing this protection control?
•What logs or monitoring data verify that this control is functioning correctly?

Ask AI

Configure your API key to use AI features.