NIST 800-53 REV 5 • ACCESS CONTROL

AC-6(4)Separate Processing Domains

Provide separate processing domains to enable finer-grained allocation of user privileges.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine, implementing separate physical domains, and employing hardware or software domain separation mechanisms.

Practitioner Notes

Separate processing domains means running privileged operations in isolated environments so that a compromise of the user's regular environment does not affect privileged operations.

Example 1: Implement a tiered admin model: Tier 0 (domain controllers) can only be administered from dedicated Privileged Access Workstations (PAWs) on a hardened VLAN. Tier 1 (member servers) are administered from a separate set of jump servers. Regular workstations cannot reach Tier 0 or Tier 1 management interfaces.

Example 2: Use Windows Credential Guard (enabled via GPO at Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization Based Security) on admin workstations to isolate credentials in a hardware-backed virtual container that prevents credential theft malware from accessing them.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management