>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-29Heterogeneity

PBMM (P2)
Secret (P2)
Technical

>Control Description

(A) The organization employs a diverse set of information technologies for organization-defined information system components in the implementation of the information system.

>Supplemental Guidance

Increasing the diversity of information technologies within organizational information systems reduces the impact of potential exploitations of specific technologies and also defends against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one information system component will be equally effective against other system components, thus further increasing the adversary work factor to successfully complete planned cyber-attacks. An increase in diversity may add complexity and management overhead which could ultimately lead to mistakes and unauthorized configurations.

Related controls: SA-12, SA-14, SC-27

>Tailoring Guidance

In this context employing diverse information technologies refers specifically to the practice of deploying security safeguards from different vendors at various locations. The intent of this security control is to ensure that an attack which exploits a security flaw in one product will be mitigated by a second product from a different vendor. The principle being that products from different vendors are unlikely to be susceptible to the same flaw.

For example, firewalls from different vendors should be used in adjacent network zones. Or, virus scanners from different vendors should be used on servers (e.g., mail server) and on desktops.

Ask AI

Configure your API key to use AI features.