AC-6(4): Separate Processing Domains

Control Family:

Parent Control:

AC-6: Least Privilege

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

Threats Addressed:

Elevation of Privilege

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
AC-6(4): Separate Processing Domains

Control Statement

The information system provides separate processing domains to enable finer-grained allocation of user privileges.

Supplemental Guidance

Providing separate processing domains for finer-grained allocation of user privileges includes, for example: (i) using virtualization techniques to allow additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine; (ii) employing hardware and/or software domain separation mechanisms; and (iii) implementing separate physical domains.