CMMC Practice SC.4.197
Employ physical and logical isolation techniques in the system and security architecture and/or where deemed appropriate by the organization.
Bold Coast Security Guidance
For level 4 compliance in this practice, there must be standard practices, required by formal policy, and a plan to bring the many disparate pieces of general data protection controls that include layers of physical and logical protective and detective controls. From data center physical restrictions, monitoring and activity review to the technical controls an organization can employ to control the access and flow of data, there is a lot to consider. The sense that there are a lot of plans required in an information / cyber security program is what a well-crafted program actually looks like. The better an organization can conceptualize the big picture, including the risks its facing, but more holistic the actual written program can be.
At this maturity level, the help of an expert can be invaluable, and it's wise to engage earlier so that big strategic view can be brought into focus.
DRAFT NIST SP 800-171B
Physical and logical isolation techniques applied at the architectural level of the system can limit the unauthorized flow of CUI; reduce the system attack surface; constrain the number of system components that must be highly secure; and impede the movement of an adversary. Physical and logical isolation techniques when implemented with managed interfaces, can isolate CUI into separate security domains where additional protections can be applied . Any communications across the managed interfaces (i.e., across security domains), constitutes remote access, even if the communications stay within the organization. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components . This type of enhanced protection limits the potential harm from and susceptibility to hostile cyber-attacks and errors. The degree of isolation varies depending upon the boundary protection mechanisms selected. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization and micro-virtualization techniques; encrypting information flows among system components using distinct encryption keys; cross-domain devices separating subnetworks; and complete physical separation (i.e., air gaps).
Architectural strategies include logical isolation, partial physical and logical isolation, or complete physical isolation between subsystems and at system boundaries between resources that store, process, transmit, or protect CUI and other resources. Examples include:
• Logical isolation: data tagging, digital rights management (DRM), and data loss prevention (DLP) that tags, monitors, and restricts the flow of CUI; virtual machines or containers that separate CUI and other information on hosts; and virtual local area networks (VLAN) that keep CUI and other information separate on networks.
• Partial physical and logical isolation: physically or cryptographically isolated networks; dedicated hardware in data centers; and secure clients that: (a) may not directly access resources outside of the domain (i.e., all networked applications execute as remote virtual applications hosted in a DMZ or internal and protected enclave); (b) access via remote virtualized applications or virtual desktop with no file
transfer capability other than with dual authorization; or (c) employ dedicated client hardware (e.g., a zero or thin client) or hardware approved for multi-level secure (MLS) usage.
• Complete physical isolation: dedicated (not shared) client and server hardware; physically isolated, stand-alone enclaves for clients and servers; and (a) logically separate network traffic (e.g., using a VLAN) with end -to-end encryption using PKI-based cryptography, or (b) physically isolate it from other traffic.
Isolation techniques are selected based on a risk management perspective that balances the threat, the information being protected, and the cost of the options for protection. Architectural and design decisions are guided and informed by the security requirements and selected solutions. NIST SP 800-160-1 provides guidance on developing trustworthy secure systems using systems security engineering practices and security design concepts.