Requirement text: SC.4.197: Employ physical and logical isolation techniques in the system and security
architecture and/or where deemed appropriate by the organization.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B
Physical and logical isolation techniques applied at the architectural level of the system can
limit the unauthorized flow of CUI; reduce the system attack surface; constrain the number
of system components that must be highly secure; and impede the movement of an
adversary. Physical and logical isolation techniques when implemented with managed
interfaces, can isolate CUI into separate security domains where additional protections can
be applied. Any communications across the managed interfaces (i.e., across security
domains), constitutes remote access, even if the communications stay within the
organization. Separating system components with boundary protection mechanisms
provides the capability for increased protection of individual components and to more
effectively control information flows between those components. This type of enhanced
protection limits the potential harm from and susceptibility to hostile cyber-attacks and
errors. The degree of isolation varies depending upon the boundary protection mechanisms
selected. Boundary protection mechanisms include routers, gateways, and firewalls
separating system components into physically separate networks or subnetworks;
virtualization and micro-virtualization techniques; encrypting information flows among
system components using distinct encryption keys; cross-domain devices separating
subnetworks; and complete physical separation (i.e., air gaps).
Architectural strategies include logical isolation, partial physical and logical isolation, or
complete physical isolation between subsystems and at system boundaries between
resources that store, process, transmit, or protect CUI and other resources. Examples
include:
• Logical isolation: data tagging, digital rights management (DRM), and data loss
prevention (DLP) that tags, monitors, and restricts the flow of CUI; virtual machines
or containers that separate CUI and other information on hosts; and virtual local area
networks (VLAN) that keep CUI and other information separate on networks.
• Partial physical and logical isolation: physically or cryptographically isolated
networks; dedicated hardware in data centers; and secure clients that: (a) may not
directly access resources outside of the domain (i.e., all networked applications
execute as remote virtual applications hosted in a DMZ or internal and protected
enclave); (b) access via remote virtualized applications or virtual desktop with no file
transfer capability other than with dual authorization; or (c) employ dedicated client
hardware (e.g., a zero or thin client) or hardware approved for multi-level secure
(MLS) usage.
• Complete physical isolation: dedicated (not shared) client and server hardware;
physically isolated, stand-alone enclaves for clients and servers; and (a) logically
separate network traffic (e.g., using a VLAN) with end-to-end encryption using PKI-
based cryptography, or (b) physically isolate it from other traffic.
Isolation techniques are selected based on a risk management perspective that balances the
threat, the information being protected, and the cost of the options for protection.
Architectural and design decisions are guided and informed by the security requirements
and selected solutions.
NIST SP 800-160-1 provides guidance on developing trustworthy secure systems using
systems security engineering practices and security design concepts.
CMMC CLARIFICATION
Where the organization deems appropriate they will physically or logically isolate systems
containing or processing CUI data from other systems supporting non-CUI business
operations. Access controls are implemented to prevent non-authorized users from
accessing the networks containing systems hosting and processing CUI information.
Example 1
You are the senior IT engineer for your organization and have been asked to install and
secure a new server that will be used to store and process CUI data. You create a new VLAN
and directly connect the server to that VLAN. Then you configure an Access Control List
(ACL) to block that VLAN from getting out to the Internet and only allows the analysts
working on the program to have access to that server.
Example 2
You are managing a project working on CUI data with two other people. You identify a room
and provide only the team members and yourself with keys to access the room. You have
the server and a small workgroup switch installed in the room with a couple of workstations.
The workgroup switch is not connected to the organization’s network so team members
must go to work in the locked room to work on this project.
References
• CMMC modification of Draft NIST SP 800-171B 3.13.4e
• CIS Controls v7.1 14.1
• NIST CSF v1.1 PR.AC-5