NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-7(11)Confined Environments with Limited Privileges

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Practitioner Notes

Run untrusted software in confined environments with limited privileges to contain any damage if the software turns out to be malicious.

Example 1: Use Windows Sandbox or Application Guard to open untrusted files and browse untrusted websites in an isolated, disposable container. When the sandbox is closed, any malware inside is destroyed.

Example 2: Run third-party applications in Docker containers with minimal privileges — no root access, read-only file systems, limited network access. If the application is compromised, the container limits what the attacker can do and prevents lateral movement.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status