NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(2)Processing Domains

Use protected processing domains to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Protected processing domains within systems are processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to/from information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, system processes are assigned to domains, information is identified by types, and information flows are controlled based on allowed information accesses (i.e., determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains.

Practitioner Notes

Processing domains are isolated environments where data is processed separately based on its sensitivity. This keeps sensitive data processing physically or logically separated from less sensitive work.

Example 1: In Azure, deploy your CUI-processing workloads in a dedicated subscription with Azure Policy enforcing GovCloud regions only. Use network security groups (NSGs) and Azure Firewall to prevent any data flow from CUI subscriptions to commercial subscriptions.

Example 2: On-premises, use VMware vSphere tags and DRS rules to ensure VMs handling sensitive data only run on specific host clusters. Configure firewall rules (vSphere Distributed Switch or NSX) so these VMs cannot communicate with VMs in the general-purpose cluster.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management