NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-7(21) — Isolation of System Components
Employ boundary protection mechanisms to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys.
Practitioner Notes
Critical system components should be physically or logically isolated from each other so that a compromise of one component does not give an attacker access to everything.
Example 1: Put your database servers on a dedicated VLAN that only your application servers can reach. Web servers sit on another VLAN. Management interfaces sit on a third. Firewall rules between VLANs enforce strict, documented access paths.
Example 2: In Azure or AWS, deploy different application tiers in separate subnets with Network Security Groups/Security Groups between them. Your web tier can talk to the app tier on port 443, the app tier can talk to the database tier on port 1433, but no other paths are allowed.