SC-29: Heterogeneity
Control Family:
CSF v1.1 References:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
N/A
- High
N/A
Next Version:
- NIST Special Publication 800-53 Revision 5:
- SC-29: Heterogeneity
Control Statement
The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system.
Supplemental Guidance
Increasing the diversity of information technologies within organizational information systems reduces the impact of potential exploitations of specific technologies and also defends against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one information system component will be equally effective against other system components, thus further increasing the adversary work factor to successfully complete planned cyber attacks. An increase in diversity may add complexity and management overhead which could ultimately lead to mistakes and unauthorized configurations.
Control Enhancements
SC-29(1): Virtualization Techniques
Baseline(s):
The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency].