NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-39(1)Hardware Separation

Implement hardware separation mechanisms to facilitate process isolation.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Hardware-based separation of system processes is generally less susceptible to compromise than software-based separation, thus providing greater assurance that the separation will be enforced. Hardware separation mechanisms include hardware memory management.

Practitioner Notes

Use hardware-enforced separation between processes — CPU rings, memory protection units, or virtualization extensions that the operating system cannot bypass.

Example 1: Enable Virtualization-Based Security (VBS) on Windows 10/11 and Server 2019+. VBS uses the hypervisor to create isolated memory regions that even the OS kernel cannot access, protecting credentials and code integrity.

Example 2: Use Intel SGX enclaves for applications that process highly sensitive data. The CPU hardware creates encrypted memory regions that no other process — including the OS and hypervisor — can read or tamper with.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability