Navigate

SC-32

SC-32: System Partitioning

Partition the system into [system components to reside in separate physical or logical domains or environments based on circumstances for the physical or logical separation of components are defined;] residing in separate [one of "physical"/"logical"] domains or environments based on [circumstances for the physical or logical separation of components are defined;].

Supplemental

System partitioning is part of a defense-in-depth protection strategy. Organizations determine the degree of physical separation of system components. Physical separation options include physically distinct components in separate racks in the same room, critical components in separate rooms, and geographical separation of critical components. Security categorization can guide the selection of candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned system components.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
CDS - Access, CDS - Multilevel, CDS - Transfer, DAF Baseline, Int-C

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SC-32.

Control	Description
AC-4	Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [information flow control policies within the system and between connected systems are defined;].
AC-6	Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
SA-8	Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [one of ].
SC-2	Separate user functionality, including user interface services, from system management functionality.
SC-3	Isolate security functions from nonsecurity functions.
SC-7	a: Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b: Implement subnetworks for publicly accessible system components that are [one of "physically"/"logically"] separated from internal organizational networks; and c: Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
SC-36	Distribute the following processing and storage components across multiple [one of "physical locations"/"logical domains"]: [one of ].

Enhancements

The controls below (if any) add on to the requirements of SC-32.

Control	Description
SC-32(1)	Partition privileged functions into separate physical domains.

Related CCIs

The CCIs below are tied to SC-32.

CCI	Definition
CCI-002504	Defines the system components into which the system is partitioned.
CCI-002505	Defines the circumstances under which the system components are to be physically or logically separated to support partitioning.
CCI-002506	Partition the system into organization-defined system components residing in separate physical or logical domains or environments based on organization-defined circumstances for physical or logical separation of components.