>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.13.4System and Communications Protection - Derived

Derived Requirement

>Control Description

Prevent unauthorized and unintended information transfer via shared system resources.

>Discussion

The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information.

This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.

>Cross-Framework Mappings

CMMC

SC.L2-3.13.4
Compare

SCF

SEA-05
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern prohibiting remote activation of sensors?
  • What procedures ensure collaborative computing devices are secure?
  • How do you address cameras, microphones, and similar sensors?
  • Who approves sensor use on systems with CUI?
  • What governance prevents unauthorized sensor activation?

Technical Implementation:

  • What technical controls disable or restrict sensors?
  • How do you prevent remote activation of cameras/microphones?
  • What hardware or software solutions manage sensor access?
  • How do you implement physical sensor disablement (covers, removal)?
  • What monitoring detects unauthorized sensor activation?

Evidence & Documentation:

  • Can you show sensor control policies and configurations?
  • What evidence demonstrates sensors are disabled or controlled?
  • Can you provide physical inspection results of sensor controls?
  • What logs track sensor activation events?
  • What audit findings verify sensor control compliance?

Ask AI

Configure your API key to use AI features.