SC-29(1)—Virtualization Techniques
>Control Description
Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed ⚙organization-defined frequency.
>Cross-Framework Mappings
>Supplemental Guidance
While frequent changes to operating systems and applications can pose significant configuration management challenges, the changes can result in an increased work factor for adversaries to conduct successful attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems or applications, provides virtual changes that impede attacker success while reducing configuration management efforts. Virtualization techniques can assist in isolating untrustworthy software or software of dubious provenance into confined execution environments.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of virtualization techniques?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-29(1)?
Technical Implementation:
- •How is virtualization techniques technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that virtualization techniques remains effective as the system evolves?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-29(1)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
Ask AI
Configure your API key to use AI features.