AC-6(4): Separate Processing Domains

Control Family:

Access Control

Parent Control:

AC-6: Least Privilege

CSF v1.1 References:

Threats Addressed:


(Not part of any baseline)

Previous Version:

Control Statement

Provide separate processing domains to enable finer-grained allocation of user privileges.

Supplemental Guidance

Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine, implementing separate physical domains, and employing hardware or software domain separation mechanisms.