CMMC Practice SC.L2-3.13.4 – Shared Resource Control: Prevent unauthorized and unintended information transfer via shared system resources.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. Section 6.4.2 Memory Management and Object Reuse explains how Microsoft Windows 10 builds this capability in. This policy describes the need to prevent unauthorized and unintended information transfer via shared system resource on NC information systems. See section SC-4 - Information in Shared Resources. Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. This article describes UnixWare prevention of object reuse. It notes that the administrator need not do anything to enforce the secure reuse of system objects. This requirement is handled by the kernel automatically.
Discussion [NIST SP 800-171 R2]
The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remnants, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.
Further Discussion
No shared system resource, such as cache memory, hard disks, registers, or main memory may pass information from one user to another user. In other words, when objects are reused no residual information should exist on that object. This protects the confidentiality of the information. This is typically a feature provided by operating system and software vendors.