NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-49Hardware-enforced Separation and Policy Enforcement

Implement hardware-enforced separation and policy enforcement mechanisms between organization-defined parameter.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement for specific types of threats and environments of operation. Hardware-enforced separation and policy enforcement provide greater strength of mechanism than software-enforced separation and policy enforcement.

Practitioner Notes

Use hardware-enforced separation and policy enforcement — where the CPU or dedicated hardware enforces security boundaries that software alone cannot bypass.

Example 1: Deploy systems with AMD SEV (Secure Encrypted Virtualization) or Intel TDX (Trust Domain Extensions) that use the CPU to encrypt each VM's memory with a unique key. Even the hypervisor cannot read a VM's memory, providing hardware-enforced isolation between tenants.

Example 2: Use ARM TrustZone on mobile and IoT devices to create a hardware-isolated "secure world" for processing sensitive data. The secure world runs a separate OS that handles cryptographic operations, while the normal world runs the user-facing applications.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability