NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-2 — Separation of System and User Functionality

Separate user functionality, including user interface services, from system management functionality.

CMMC Practice Mapping

SC.L2-3.13.4

NIST 800-171 Mapping

3.13.4

Related Controls

Supplemental Guidance

System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18).

Practitioner Notes

This control means keeping the tools and interfaces that regular users see completely separate from the tools administrators use to manage systems. A normal employee should never stumble into a server management console.

Example 1: Configure your Windows servers so that administrative tools like Server Manager, PowerShell ISE, and MMC snap-ins are only available on dedicated admin workstations — not on standard employee desktops. Use a GPO to remove administrative tools from non-admin machines.

Example 2: In Microsoft 365, use Privileged Access Workstations (PAWs) for Exchange and Azure AD administration. Regular users access Outlook and Teams from standard machines, while admins manage tenant settings only from hardened, dedicated devices on a separate network segment.