NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-3(2)Access and Flow Control Functions

Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Security function isolation occurs because of implementation. The functions can still be scanned and monitored. Security functions that are potentially isolated from access and flow control enforcement functions include auditing, intrusion detection, and malicious code protection functions.

Practitioner Notes

Access control and information flow control functions need extra isolation — they must be separated not just from regular applications but from other security functions like auditing or malware scanning.

Example 1: Deploy your firewall (access/flow control) on dedicated appliances separate from your IDS/IPS sensors and your SIEM. Each security function runs on its own hardware or VM with its own management interface and credentials.

Example 2: In a virtualized environment, run your access control services (Active Directory domain controllers) on dedicated Hyper-V hosts that do not share physical hardware with application VMs or monitoring VMs.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability