Device Class 2: Information In Shared Resources

Control ID: SC-4 Information In Shared Resources Family: System and Communications Protection Source: NIST 800-53r4
Control: The device prevents unauthorized and unintended information transfer via shared system resources.
Supplemental Guidance:
This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g.,registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles.

Related Controls: AC-3, AC-4, MP-6
Control Enhancements: N/A
References: N/A
Mechanisms:

  • When a process, application, or user is finished using a sensitive shared resource the resource shall be released in a way that all registers, memory, and temporary disk drives are properly erased/cleaned up as to not leave any trace of the data.
  • When a process, application, or user is using a sensitive shared resource the users process shall restrict access to any temporary system resources it is using to view the file (registers, memory, local disks).

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
SC-4/1 Removes traces of sensitive resources M Describe mechanism
SC-4/2 Restricts access to sensitive resources M Describe mechanism