SC 29 HETEROGENEITY - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control: Employ a diverse set of information technologies for the following system components in the implementation of the system: [ Assignment: organization-defined system components ].

Discussion: Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations.

Related Controls: AU-9 , PL-8 , SC-27 , SC-30 , SR-3.

Control Enhancements:

• (1) HETEROGENEITY / VIRTUALIZATION TECHNIQUES
  Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [ Assignment: organization-defined frequency ].

  Discussion: While frequent changes to operating systems and applications can pose significant configuration management challenges, the changes can result in an increased work factor for adversaries to conduct successful attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems or applications, provides virtual changes that impede attacker success while reducing configuration management efforts. Virtualization techniques can assist in isolating untrustworthy software or software of dubious provenance into confined execution environments.

  Related Controls: None.

References: None.