NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-8(6) — Minimized Sharing
Implement the security design principle of minimized sharing in {{ insert: param, sa-08.06_odp }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
The principle of minimized sharing states that no computer resource is shared between system components (e.g., subjects, processes, functions) unless it is absolutely necessary to do so. Minimized sharing helps to simplify system design and implementation. In order to protect user-domain resources from arbitrary active entities, no resource is shared unless that sharing has been explicitly requested and granted. The need for resource sharing can be motivated by the design principle of least common mechanism in the case of internal entities or driven by stakeholder requirements. However, internal sharing is carefully designed to avoid performance and covert storage and timing channel problems. Sharing via common mechanism can increase the susceptibility of data and information to unauthorized access, disclosure, use, or modification and can adversely affect the inherent capability provided by the system. To minimize sharing induced by common mechanisms, such mechanisms can be designed to be reentrant or virtualized to preserve separation. Moreover, the use of global data to share information is carefully scrutinized. The lack of encapsulation may obfuscate relationships among the sharing entities.
Practitioner Notes
Minimized sharing means reducing the information and resources shared between components, users, and systems. The less sharing, the smaller the blast radius when something goes wrong.
Example 1: Apply the need-to-know principle to data sharing between systems. Your HR system does not need to share SSNs with the email system. Your CRM does not need access to the engineering design database. Connect systems only when there is a documented business need and share only the minimum data required.
Example 2: In M365, use Information Barriers to prevent inappropriate data sharing between departments. For example, prevent the trading desk from communicating with the compliance investigation team, or prevent the HR team's SharePoint sites from being shared with contractors.