SC.L2-3.13.4 requires organizations to prevent unauthorized and unintended information transfer through shared system resources, including memory, storage, CPU caches, temporary files, swap space, and inter-process communication channels. Grounded in NIST SP 800-171 Rev 2 §3.13.4, this practice targets the risk that residual data left in shared resources by one process or user could be read by a subsequent process or user that receives the same resource allocation. For most small and mid-size defense contractors, compliance centers on ensuring operating systems zero memory on deallocation, restricting permissions on shared directories and temporary file locations, clearing session data on termination, and isolating user profiles on shared workstations. In cloud and virtualized environments, the organization must verify that the hosting provider enforces tenant isolation through FedRAMP authorization or equivalent documentation.
Where it stops · what it isn't
- —Does not govern network-layer information flow enforcement between separate systems or security domains — that is addressed by SC.L2-3.13.1
- —Does not cover encryption of data in transit over communications channels — addressed by SC.L2-3.13.8
- —Does not address covert timing channels or advanced hardware-level side-channel attacks (e.g., Spectre/Meltdown) beyond verifying OS-level mitigations are not disabled
- —Does not replace media sanitization requirements under MP.L2-3.8.3 for end-of-life media disposal, though residual data removal must align with both practices
- —Does not govern access control policy definitions — AC.L2-3.1.1 and related AC practices own that scope
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/system-and-communications-protection