NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-29(1)Virtualization Techniques

Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed {{ insert: param, sc-29.01_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

While frequent changes to operating systems and applications can pose significant configuration management challenges, the changes can result in an increased work factor for adversaries to conduct successful attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems or applications, provides virtual changes that impede attacker success while reducing configuration management efforts. Virtualization techniques can assist in isolating untrustworthy software or software of dubious provenance into confined execution environments.

Practitioner Notes

Use virtualization to create diverse processing environments. Virtual machines can run different operating systems and configurations, providing heterogeneity within a single physical infrastructure.

Example 1: Run critical applications on VMs with different OS versions or distributions. Your primary database on Ubuntu, your backup on CentOS. A kernel exploit targeting one distribution does not affect the other.

Example 2: Use containerization (Docker, Kubernetes) to isolate applications in different runtime environments. Each container has its own OS libraries and dependencies, so a vulnerability in one container's stack does not affect others.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability