Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >System And Communications Protection
  4. >SP800-53-SC-49
SP800-53-SC-49Active

Hardware-enforced Separation and Policy Enforcement

Statement

Implement hardware-enforced separation and policy enforcement mechanisms between security domains.

Location

Control Family
System and Communications Protection

Control Details

Identifier
SP800-53-SC-49
Family
SC

Organisation-Defined Parameters

sc-49_odp
security domains

Supplemental Guidance

System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement for specific types of threats and environments of operation. Hardware-enforced separation and policy enforcement provide greater strength of mechanism than software-enforced separation and policy enforcement.

Assessment Objective

hardware-enforced separation and policy enforcement mechanisms are implemented between security domains.

No cross-framework mappings available

← Back to System and Communications Protection
System and Communications Protection162 controls
SP800-53-SC-1Policy and ProceduresSP800-53-SC-2Separation of System and User FunctionalitySP800-53-SC-2(1)Interfaces for Non-privileged UsersSP800-53-SC-2(2)DisassociabilitySP800-53-SC-3Security Function IsolationSP800-53-SC-3(1)Hardware SeparationSP800-53-SC-3(2)Access and Flow Control FunctionsSP800-53-SC-3(3)Minimize Nonsecurity FunctionalitySP800-53-SC-3(4)Module Coupling and CohesivenessSP800-53-SC-3(5)Layered StructuresSP800-53-SC-4Information in Shared System ResourcesSP800-53-SC-4(1)Security LevelsSP800-53-SC-4(2)Multilevel or Periods ProcessingSP800-53-SC-5Denial-of-service ProtectionSP800-53-SC-5(1)Restrict Ability to Attack Other SystemsSP800-53-SC-5(2)Capacity, Bandwidth, and RedundancySP800-53-SC-5(3)Detection and MonitoringSP800-53-SC-6Resource AvailabilitySP800-53-SC-7Boundary ProtectionSP800-53-SC-7(1)Physically Separated SubnetworksSP800-53-SC-7(2)Public AccessSP800-53-SC-7(3)Access PointsSP800-53-SC-7(4)External Telecommunications ServicesSP800-53-SC-7(5)Deny by Default — Allow by ExceptionSP800-53-SC-7(6)Response to Recognized FailuresSP800-53-SC-7(7)Split Tunneling for Remote DevicesSP800-53-SC-7(8)Route Traffic to Authenticated Proxy ServersSP800-53-SC-7(9)Restrict Threatening Outgoing Communications TrafficSP800-53-SC-7(10)Prevent ExfiltrationSP800-53-SC-7(11)Restrict Incoming Communications TrafficSP800-53-SC-7(12)Host-based ProtectionSP800-53-SC-7(13)Isolation of Security Tools, Mechanisms, and Support ComponentsSP800-53-SC-7(14)Protect Against Unauthorized Physical ConnectionsSP800-53-SC-7(15)Networked Privileged AccessesSP800-53-SC-7(16)Prevent Discovery of System ComponentsSP800-53-SC-7(17)Automated Enforcement of Protocol FormatsSP800-53-SC-7(18)Fail SecureSP800-53-SC-7(19)Block Communication from Non-organizationally Configured HostsSP800-53-SC-7(20)Dynamic Isolation and SegregationSP800-53-SC-7(21)Isolation of System ComponentsSP800-53-SC-7(22)Separate Subnets for Connecting to Different Security DomainsSP800-53-SC-7(23)Disable Sender Feedback on Protocol Validation FailureSP800-53-SC-7(24)Personally Identifiable InformationSP800-53-SC-7(25)Unclassified National Security System ConnectionsSP800-53-SC-7(26)Classified National Security System ConnectionsSP800-53-SC-7(27)Unclassified Non-national Security System ConnectionsSP800-53-SC-7(28)Connections to Public NetworksSP800-53-SC-7(29)Separate Subnets to Isolate FunctionsSP800-53-SC-8Transmission Confidentiality and IntegritySP800-53-SC-8(1)Cryptographic ProtectionSP800-53-SC-8(2)Pre- and Post-transmission HandlingSP800-53-SC-8(3)Cryptographic Protection for Message ExternalsSP800-53-SC-8(4)Conceal or Randomize CommunicationsSP800-53-SC-8(5)Protected Distribution SystemSP800-53-SC-9Transmission ConfidentialitySP800-53-SC-10Network DisconnectSP800-53-SC-11Trusted PathSP800-53-SC-11(1)Irrefutable Communications PathSP800-53-SC-12Cryptographic Key Establishment and ManagementSP800-53-SC-12(1)AvailabilitySP800-53-SC-12(2)Symmetric KeysSP800-53-SC-12(3)Asymmetric KeysSP800-53-SC-12(4)PKI CertificatesSP800-53-SC-12(5)PKI Certificates / Hardware TokensSP800-53-SC-12(6)Physical Control of KeysSP800-53-SC-13Cryptographic ProtectionSP800-53-SC-13(1)FIPS-validated CryptographySP800-53-SC-13(2)NSA-approved CryptographySP800-53-SC-13(3)Individuals Without Formal Access ApprovalsSP800-53-SC-13(4)Digital SignaturesSP800-53-SC-14Public Access ProtectionsSP800-53-SC-15Collaborative Computing Devices and ApplicationsSP800-53-SC-15(1)Physical or Logical DisconnectSP800-53-SC-15(2)Blocking Inbound and Outbound Communications TrafficSP800-53-SC-15(3)Disabling and Removal in Secure Work AreasSP800-53-SC-15(4)Explicitly Indicate Current ParticipantsSP800-53-SC-16Transmission of Security and Privacy AttributesSP800-53-SC-16(1)Integrity VerificationSP800-53-SC-16(2)Anti-spoofing MechanismsSP800-53-SC-16(3)Cryptographic BindingSP800-53-SC-17Public Key Infrastructure CertificatesSP800-53-SC-18Mobile CodeSP800-53-SC-18(1)Identify Unacceptable Code and Take Corrective ActionsSP800-53-SC-18(2)Acquisition, Development, and UseSP800-53-SC-18(3)Prevent Downloading and ExecutionSP800-53-SC-18(4)Prevent Automatic ExecutionSP800-53-SC-18(5)Allow Execution Only in Confined EnvironmentsSP800-53-SC-19Voice Over Internet ProtocolSP800-53-SC-20Secure Name/Address Resolution Service (Authoritative Source)SP800-53-SC-20(1)Child SubspacesSP800-53-SC-20(2)Data Origin and IntegritySP800-53-SC-21Secure Name/Address Resolution Service (Recursive or Caching Resolver)SP800-53-SC-21(1)Data Origin and IntegritySP800-53-SC-22Architecture and Provisioning for Name/Address Resolution ServiceSP800-53-SC-23Session AuthenticitySP800-53-SC-23(1)Invalidate Session Identifiers at LogoutSP800-53-SC-23(2)User-initiated Logouts and Message DisplaysSP800-53-SC-23(3)Unique System-generated Session IdentifiersSP800-53-SC-23(4)Unique Session Identifiers with RandomizationSP800-53-SC-23(5)Allowed Certificate AuthoritiesSP800-53-SC-24Fail in Known StateSP800-53-SC-25Thin NodesSP800-53-SC-26DecoysSP800-53-SC-26(1)Detection of Malicious CodeSP800-53-SC-27Platform-independent ApplicationsSP800-53-SC-28Protection of Information at RestSP800-53-SC-28(1)Cryptographic ProtectionSP800-53-SC-28(2)Offline StorageSP800-53-SC-28(3)Cryptographic KeysSP800-53-SC-29HeterogeneitySP800-53-SC-29(1)Virtualization TechniquesSP800-53-SC-30Concealment and MisdirectionSP800-53-SC-30(1)Virtualization TechniquesSP800-53-SC-30(2)RandomnessSP800-53-SC-30(3)Change Processing and Storage LocationsSP800-53-SC-30(4)Misleading InformationSP800-53-SC-30(5)Concealment of System ComponentsSP800-53-SC-31Covert Channel AnalysisSP800-53-SC-31(1)Test Covert Channels for ExploitabilitySP800-53-SC-31(2)Maximum BandwidthSP800-53-SC-31(3)Measure Bandwidth in Operational EnvironmentsSP800-53-SC-32System PartitioningSP800-53-SC-32(1)Separate Physical Domains for Privileged FunctionsSP800-53-SC-33Transmission Preparation IntegritySP800-53-SC-34Non-modifiable Executable ProgramsSP800-53-SC-34(1)No Writable StorageSP800-53-SC-34(2)Integrity Protection on Read-only MediaSP800-53-SC-34(3)Hardware-based ProtectionSP800-53-SC-35External Malicious Code IdentificationSP800-53-SC-36Distributed Processing and StorageSP800-53-SC-36(1)Polling TechniquesSP800-53-SC-36(2)SynchronizationSP800-53-SC-37Out-of-band ChannelsSP800-53-SC-37(1)Ensure Delivery and TransmissionSP800-53-SC-38Operations SecuritySP800-53-SC-39Process IsolationSP800-53-SC-39(1)Hardware SeparationSP800-53-SC-39(2)Separate Execution Domain Per ThreadSP800-53-SC-40Wireless Link ProtectionSP800-53-SC-40(1)Electromagnetic InterferenceSP800-53-SC-40(2)Reduce Detection PotentialSP800-53-SC-40(3)Imitative or Manipulative Communications DeceptionSP800-53-SC-40(4)Signal Parameter IdentificationSP800-53-SC-41Port and I/O Device AccessSP800-53-SC-42Sensor Capability and DataSP800-53-SC-42(1)Reporting to Authorized Individuals or RolesSP800-53-SC-42(2)Authorized UseSP800-53-SC-42(3)Prohibit Use of DevicesSP800-53-SC-42(4)Notice of CollectionSP800-53-SC-42(5)Collection MinimizationSP800-53-SC-43Usage RestrictionsSP800-53-SC-44Detonation ChambersSP800-53-SC-45System Time SynchronizationSP800-53-SC-45(1)Synchronization with Authoritative Time SourceSP800-53-SC-45(2)Secondary Authoritative Time SourceSP800-53-SC-46Cross Domain Policy EnforcementSP800-53-SC-47Alternate Communications PathsSP800-53-SC-48Sensor RelocationSP800-53-SC-48(1)Dynamic Relocation of Sensors or Monitoring CapabilitiesSP800-53-SC-49Hardware-enforced Separation and Policy EnforcementSP800-53-SC-50Software-enforced Separation and Policy EnforcementSP800-53-SC-51Hardware-based Protection