NIST 800-53 r5 · Controls catalogue · Family SC
SC-3Security Function Isolation
Isolate security functions from nonsecurity functions.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (18)
- T1003.001 LSASS Memory Credential Access
- T1021.003 Distributed Component Object Model Lateral Movement
- T1047 Windows Management Instrumentation Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1134.005 SID-History Injection Stealth, Privilege Escalation
- T1189 Drive-by Compromise Initial Access
- T1190 Exploit Public-Facing Application Initial Access
- T1203 Exploitation for Client Execution Execution
- T1210 Exploitation of Remote Services Lateral Movement
- T1211 Exploitation for Stealth Stealth
- T1212 Exploitation for Credential Access Credential Access
- T1559 Inter-Process Communication Execution
- T1559.001 Component Object Model Execution
- T1559.002 Dynamic Data Exchange Execution
- T1602 Data from Configuration Repository Collection
- T1602.001 SNMP (MIB Dump) Collection
- T1602.002 Network Device Configuration Dump Collection
- T1611 Escape to Host Privilege Escalation
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | By design the control implements a hard boundary that prevents unauthorized actors or non-security functions from reaching security-critical resources or entry points. |
CWE-269 | Improper Privilege Management | 2,907 | The control enforces separation so that privilege management decisions and operations for security functions cannot be influenced or subverted by non-security code. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Security functions become critical resources whose permissions can be assigned narrowly and independently of the rest of the system. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Isolating security functions allows them to execute with only the privileges they require while preventing non-security code from inheriting or accessing those privileges. |
CWE-1220 | Insufficient Granularity of Access Control | 79 | Isolation supplies an explicit, enforceable granularity boundary between security and non-security functions that coarser access-control schemes lack. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | The control directly supplies the compartmentalization that CWE-653 requires between security and non-security domains. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2024-29970 | 2.0 | 9.8 | 0.0028 | partial |