NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-16Memory Protection

Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.

Practitioner Notes

Memory protection prevents attackers from executing code in memory regions that should only contain data — blocking common exploit techniques like buffer overflows.

Example 1: Ensure Data Execution Prevention (DEP) is enabled on all Windows systems. DEP marks memory pages as non-executable so malicious code injected into data memory regions cannot run. Verify via GPO or SCCM compliance baselines.

Example 2: Enable Address Space Layout Randomization (ASLR) to randomize where programs load in memory. This makes it extremely difficult for attackers to predict memory addresses for exploit code. On Windows, ASLR is on by default — verify it is active using Windows Security Center or the Exploit Protection settings.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status