SC-3(5)—Layered Structures
>Control Description
Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
>Cross-Framework Mappings
>Supplemental Guidance
The implementation of layered structures with minimized interactions among security functions and non-looping layers (i.e., lower-layer functions do not depend on higher-layer functions) enables the isolation of security functions and the management of complexity.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of layered structures?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-3(5)?
Technical Implementation:
- •How is layered structures technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that layered structures remains effective as the system evolves?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-3(5)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
Ask AI
Configure your API key to use AI features.