NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-39(2)Separate Execution Domain Per Thread

Maintain a separate execution domain for each thread in {{ insert: param, sc-39.02_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

None.

Practitioner Notes

Give each execution thread its own separate domain to prevent thread-level attacks where one thread accesses another thread's data.

Example 1: Ensure your systems have Spectre and Meltdown mitigations enabled (microcode updates and OS patches). These attacks exploit shared CPU resources between threads. Verify mitigations are active using tools like SpecuCheck or InSpectre.

Example 2: For highly sensitive workloads, disable Hyper-Threading (SMT) on the physical CPU. This ensures each thread gets its own dedicated CPU core and cannot share execution resources with another thread that might be running malicious code.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability