CMMC SC.3.182 - Prevent Information Loss via Shared System Resources

CMMC SC.3.182 - Prevent Information Loss via Shared System Resources

Requirement text: SC.3.182: Prevent unauthorized and unintended information transfer via shared
system resources.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
The control of information in shared system resources (e.g., registers, cache memory, main
memory, hard disks) is also commonly referred to as object reuse and residual information
protection. This requirement prevents information produced by the actions of prior users
or roles (or the actions of processes acting on behalf of prior users or roles) from being
available to any current users or roles (or current processes acting on behalf of current users
or roles) that obtain access to shared system resources after those resources have been
released back to the system. This requirement also applies to encrypted representations of
information. This requirement does not address information remanence, which refers to
residual representation of data that has been nominally deleted; covert channels (including
storage or timing channels) where shared resources are manipulated to violate information
flow restrictions; or components within systems for which there are only single users or
roles.

CMMC CLARIFICATION
No shared system resource such as cache memory, hard disks, registers, or main memory
should be able to pass information from one user to another user. In other words, when
objects are reused no residual information should exist on that object. This protects the
confidentiality of the information. This is typically a feature provided by operating system
and software vendors.

Example
You are the system administrator for your company. You are creating the system hardening
procedures for your company’s computers. To prevent unauthorized and unintended
information transfer via shared resources, you include in your procedures steps to verify the
operating system is configured correctly. You examine the Computer Configuration policies
in the operating system and verify the settings match those documented in the hardening
procedures.

References
• NIST SP 800-171 Rev 1 3.13.4
• NIST SP 800-53 Rev 4 SC-4