NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-29 — Heterogeneity
Employ a diverse set of information technologies for the following system components in the implementation of the system: {{ insert: param, sc-29_odp }}.
Supplemental Guidance
Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations.
Practitioner Notes
Use diverse components — different hardware vendors, operating systems, and software — to reduce the risk that a single vulnerability takes down everything. If all your systems run the same software, one exploit compromises them all.
Example 1: Run your web servers on Linux (Apache/Nginx) and your application servers on Windows (IIS). An exploit targeting one OS does not automatically compromise the other tier. The attacker needs separate exploits for each layer.
Example 2: Use firewalls from different vendors at different points in your architecture — for example, Palo Alto at the perimeter and a different vendor for internal segmentation. A zero-day vulnerability in one vendor's product does not open your entire network.