NIST 800-53 r5 · Controls catalogue · Family SC
SC-46Cross Domain Policy Enforcement
Implement a policy enforcement mechanism {{ insert: param, sc-46_odp }} between the physical and/or network interfaces for the connecting security domains.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (27)
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1046 Network Service Discovery Discovery
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
- T1133 External Remote Services Persistence, Initial Access
- T1136 Create Account Persistence
- T1136.002 Domain Account Persistence
- T1190 Exploit Public-Facing Application Initial Access
- T1199 Trusted Relationship Initial Access
- T1210 Exploitation of Remote Services Lateral Movement
- T1482 Domain Trust Discovery Discovery
- T1489 Service Stop Impact
- T1552.007 Container API Credential Access
- T1557 Adversary-in-the-Middle Credential Access, Collection
- T1557.001 Name Resolution Poisoning and SMB Relay Credential Access, Collection
- T1557.003 DHCP Spoofing Credential Access, Collection
- T1557.004 Evil Twin Credential Access, Collection
- T1563 Remote Service Session Hijacking Lateral Movement
- T1563.002 RDP Hijacking Lateral Movement
- T1565 Data Manipulation Impact
- T1565.003 Runtime Data Manipulation Impact
- T1622 Debugger Evasion Stealth, Discovery
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Implementing the enforcement point directly addresses missing authorization checks for operations that cross security domains. |
CWE-284 | Improper Access Control | 4,832 | Cross-domain policy enforcement implements mandatory access control at domain boundaries, directly preventing unauthorized interactions across security domains. |
CWE-863 | Incorrect Authorization | 3,234 | The mechanism applies correct, centrally managed authorization rules at domain boundaries, blocking incorrect authorization logic from being exploited. |
CWE-285 | Improper Authorization | 1,230 | The control enforces explicit authorization policies on all traffic and data flows between domains, mitigating improper or missing authorization decisions. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | The control ensures resources are not exposed outside their intended security domain by filtering transfers at the domain boundary. |
CWE-669 | Incorrect Resource Transfer Between Spheres | 96 | It governs all resource transfers between spheres, preventing incorrect or unauthorized movement of data or capabilities across domain interfaces. |
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | 57 | Policy enforcement restricts communication channels to only the intended endpoints and protocols between security domains. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | Policy enforcement between domains strengthens isolation and compartmentalization, reducing the ability to exploit weak separation of security contexts. |
CWE-501 | Trust Boundary Violation | 24 | By mediating every interface between security domains, the mechanism upholds trust boundaries and blocks violations that would allow untrusted data or commands to cross. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-34449 | 1.9 | 9.6 | 0.0015 | good |
CVE-2026-41056 | 1.6 | 8.1 | 0.0006 | good |
CVE-2026-6662 | 1.5 | 7.3 | 0.0002 | good |
CVE-2026-5302 | 1.3 | 6.3 | 0.0003 | good |
CVE-2024-22348 | 1.1 | 5.3 | 0.0004 | good |
CVE-2026-33043 | 1.6 | 8.1 | 0.0002 | good |