David at 01:37, 16 March 2025

2025-03-16T01:37:15Z

← Older revision		Revision as of 01:37, 16 March 2025
Line 1:		Line 1:
	'''Source of Reference: The official [https://~~www~~.~~acq~~.~~osd.mil~~/cmmc/~~documentation.html~~ CMMC Level 2 Assessment Guide] from the ~~Office of the Under Secretary~~ of Defense ~~Acquisition & Sustainment~~.'''		'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 2 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''

	For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.		For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
Line 11:		Line 11:
	'''Examine'''		'''Examine'''

	[SELECT FROM: System and communications protection policy;procedures addressing application partitioning;system security plan;system design documentation;system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].		[SELECT FROM: System and communications protection policy; procedures addressing application partitioning; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

	'''Interview'''		'''Interview'''

Wikiadmin: Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == SC.L2-3.13.4 – SHARED RESOURCE CONTROL == === SECURITY REQUIREMENT === Prevent unauthorized and unintended information transfer via shared system resources.===..."

2022-02-25T03:03:15Z

Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == SC.L2-3.13.4 – SHARED RESOURCE CONTROL == === SECURITY REQUIREMENT === Prevent unauthorized and unintended information transfer via shared system resources.===..."

New page

'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''

For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

== SC.L2-3.13.4 – SHARED RESOURCE CONTROL ==
=== SECURITY REQUIREMENT ===
Prevent unauthorized and unintended information transfer via shared system resources.=== ASSESSMENT OBJECTIVES ===
Determine if:
: [a] unauthorized and unintended information transfer via shared system resources is prevented.
=== POTENTIAL ASSESSMENT METHODS AND OBJECTS ===
'''Examine'''

[SELECT FROM: System and communications protection policy;procedures addressing application partitioning;system security plan;system design documentation;system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

'''Interview'''

[SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].

'''Test'''

[SELECT FROM: Separation of user functionality from system management functionality].
=== DISCUSSION ===
The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information.This requirement does not address information remnants, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.
=== FURTHER DISCUSSION ===
No shared system resource, such as cache memory, hard disks, registers, or main memory may pass information from one user to another user. In other words, when objects are reused no residual information should exist on that object. This protects the confidentiality of the information. This is typically a feature provided by operating system and software vendors.

'''Example'''

You are a system administrator responsible for creating and deploying the system hardening procedures for your company’s computers. You ensure that the computer baselines include software patches to prevent attackers from exploiting flaws in the processor architecture to read data (e.g., the Meltdown and Spectre exploits). You also verify that the computer operating system is configured to prevent users from accessing other users’ folders [a].

'''Potential Assessment Considerations'''
* Are shared system resources identified and documented [a]?
=== KEY REFERENCES ===
* NIST SP 800-171 Rev 2 3.13.4

Practice SC.L2-3.13.4 Details - Revision history

David at 01:37, 16 March 2025