NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-2(2)Disassociability

Store state information from applications and software separately.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

If a system is compromised, storing applications and software separately from state information about users’ interactions with an application may better protect individuals’ privacy.

Practitioner Notes

This enhancement focuses on privacy — storing user interaction data (session state, preferences, activity history) separately from the application itself. If the app is compromised, attackers should not automatically get access to user behavior data.

Example 1: Configure your web applications to store session data in a separate database or Redis cache that is on a different server segment from the application code. Apply different access controls to the session store.

Example 2: In M365, use Information Barriers and Data Loss Prevention policies to ensure user activity logs and interaction data are stored in separate compliance boundaries from the application data itself.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-3 Security Function Isolation