NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-4 — Information in Shared System Resources

Prevent unauthorized and unintended information transfer via shared system resources.

CMMC Practice Mapping

SC.L2-3.13.5

NIST 800-171 Mapping

3.13.5

Related Controls

Supplemental Guidance

Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.

Practitioner Notes

When one user or process finishes using shared system resources — memory, disk space, CPU registers — the system must clean up so the next user cannot read leftover data. This prevents information leakage between users.

Example 1: Enable the "Clear virtual memory pagefile" GPO setting under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. This ensures the Windows pagefile is wiped at shutdown so sensitive data from RAM is not left on disk.

Example 2: On database servers, configure your SQL instance to overwrite deleted data blocks rather than simply marking them as available. In SQL Server, enable Transparent Data Encryption (TDE) so even if old data blocks are recovered, they are encrypted and unreadable.