Navigate

AC-6(4)

AC-6(4): Separate Processing Domains

Provide separate processing domains to enable finer-grained allocation of user privileges.

Supplemental

Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine, implementing separate physical domains, and employing hardware or software domain separation mechanisms.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
CDS - Access, CDS - Multilevel, CDS - Transfer, DAF Baseline, NC3

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-6(4).

Control	Description
AC-4	Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [information flow control policies within the system and between connected systems are defined;].
SC-2	Separate user functionality, including user interface services, from system management functionality.
SC-3	Isolate security functions from nonsecurity functions.
SC-30	Employ the following concealment and misdirection techniques for [systems for which concealment and misdirection techniques are to be employed are defined;] at [time periods to employ concealment and misdirection techniques for systems are defined;] to confuse and mislead adversaries: [concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting systems are defined;].
SC-32	Partition the system into [system components to reside in separate physical or logical domains or environments based on circumstances for the physical or logical separation of components are defined;] residing in separate [one of "physical"/"logical"] domains or environments based on [circumstances for the physical or logical separation of components are defined;].
SC-39	Maintain a separate execution domain for each executing system process.

Enhancements

The controls below (if any) add on to the requirements of AC-6(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-6(4).

CCI	Definition
CCI-002225	Provide separate processing domains to enable finer-grained allocation of user privileges.