NIST 800-53 r5 · Controls catalogue · Family SC

SC-39Process Isolation

Maintain a separate execution domain for each executing system process.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

T1003 OS Credential Dumping Credential Access
T1003.001 LSASS Memory Credential Access
T1003.002 Security Account Manager Credential Access
T1003.003 NTDS Credential Access
T1003.004 LSA Secrets Credential Access
T1003.005 Cached Domain Credentials Credential Access
T1003.006 DCSync Credential Access
T1003.007 Proc Filesystem Credential Access
T1003.008 /etc/passwd and /etc/shadow Credential Access
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1189 Drive-by Compromise Initial Access
T1190 Exploit Public-Facing Application Initial Access
T1203 Exploitation for Client Execution Execution
T1210 Exploitation of Remote Services Lateral Movement
T1211 Exploitation for Stealth Stealth
T1212 Exploitation for Credential Access Credential Access
T1547.002 Authentication Package Persistence, Privilege Escalation
T1547.005 Security Support Provider Persistence, Privilege Escalation
T1547.008 LSASS Driver Persistence, Privilege Escalation
T1556 Modify Authentication Process Defense Impairment, Persistence, Credential Access
T1556.001 Domain Controller Authentication Defense Impairment, Persistence, Credential Access
T1611 Escape to Host Privilege Escalation

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-284`	Improper Access Control	4,832	Maintaining distinct execution domains directly implements access-control separation between processes, blocking unauthorized cross-process access.
`CWE-269`	Improper Privilege Management	2,907	Separate execution domains enforce privilege boundaries so that improper privilege management within one process cannot affect others.
`CWE-732`	Incorrect Permission Assignment for Critical Resource	1,824	By giving each process its own protected domain, the control reduces the impact of incorrect permission assignments on critical resources shared across processes.
`CWE-668`	Exposure of Resource to Wrong Sphere	779	Process isolation ensures resources remain inside their intended spheres, preventing exposure of a resource to an unintended process.
`CWE-250`	Execution with Unnecessary Privileges	305	Process isolation confines each process to its own execution domain, preventing one process from exercising the privileges or resources belonging to another.
`CWE-653`	Improper Isolation or Compartmentalization	52	The control is a direct realization of proper isolation and compartmentalization, eliminating the weakness of shared execution domains.

CVE	Risk	CVSS	EPSS	Match
`CVE-2026-39861`	2.0	10.0	0.0015	good
`CVE-2025-2857`	2.0	10.0	0.0020	good
`CVE-2024-56346`	2.0	10.0	0.0033	good
`CVE-2025-24249`	2.0	9.8	0.0066	good
`CVE-2026-41265`	2.0	9.8	0.0017	good
`CVE-2026-25725`	2.0	10.0	0.0002	good
`CVE-2025-43275`	2.0	9.8	0.0013	good
`CVE-2025-15540`	1.8	8.8	0.0006	good
`CVE-2026-20667`	1.8	8.8	0.0002	good
`CVE-2024-56444`	1.5	7.5	0.0024	good
`CVE-2026-32048`	1.5	7.5	0.0002	good
`CVE-2024-56443`	1.2	6.2	0.0009	good
`CVE-2024-56435`	1.2	6.2	0.0007	good
`CVE-2026-32046`	1.1	5.3	0.0002	good
`CVE-2025-52643`	0.9	4.7	0.0002	good
`CVE-2025-24201` KEV	4.0	10.0	0.0024	good
`CVE-2025-6558` KEV	3.8	8.8	0.0022	good
`CVE-2025-43510` KEV	3.6	7.8	0.0030	good
`CVE-2026-34156`	3.6	9.9	0.2740	good
`CVE-2025-21590` KEV	3.0	4.4	0.0175	good
`CVE-2025-24118`	3.0	7.1	0.2702	good
`CVE-2025-51482`	2.1	8.8	0.0579	good
`CVE-2026-33396`	2.0	9.9	0.0097	good
`CVE-2026-30957`	2.0	9.9	0.0010	good
`CVE-2025-69983`	2.0	9.8	0.0036	good