Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >System And Information Integrity
  4. >SP800-53-SI-14
SP800-53-SI-14Active

Non-persistence

Statement

Implement non-persistent system components and services that are initiated in a known state and terminated one or more: upon end of session of use; ....

Location

Control Family
System and Information Integrity

Control Details

Identifier
SP800-53-SI-14
Family
SI

Organisation-Defined Parameters

si-14_odp.01
system components and services
si-14_odp.02
one or more: upon end of session of use; ...
si-14_odp.03
frequency

Supplemental Guidance

Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. By implementing the concept of non-persistence for selected system components, organizations can provide a trusted, known state computing resource for a specific time period that does not give adversaries sufficient time to exploit vulnerabilities in organizational systems or operating environments. Since the APT is a high-end, sophisticated threat with regard to capability, intent, and targeting, organizations assume that over an extended period, a percentage of attacks will be successful. Non-persistent system components and services are activated as required using protected information and terminated periodically or at the end of sessions. Non-persistence increases the work factor of adversaries attempting to compromise or breach organizational systems.

Non-persistence can be achieved by refreshing system components, periodically reimaging components, or using a variety of common virtualization techniques. Non-persistent services can be implemented by using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent). The benefit of periodic refreshes of system components and services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult to determine). The refresh of selected system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the system unstable. Refreshes of critical components and services may be done periodically to hinder the ability of adversaries to exploit optimum windows of vulnerabilities.

Assessment Objective

non-persistent system components and services that are initiated in a known state are implemented; non-persistent system components and services are terminated one or more: upon end of session of use; ....

ATTACK
ATTACK-T1505relatedvia ctid-attack-to-sp800-53
ATTACK-T1546.003relatedvia ctid-attack-to-sp800-53
ATTACK-T1547.004relatedvia ctid-attack-to-sp800-53
ATTACK-T1547.006relatedvia ctid-attack-to-sp800-53
ATTACK-T1505.001relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to System and Information Integrity
System and Information Integrity119 controls
SP800-53-SI-1Policy and ProceduresSP800-53-SI-2Flaw RemediationSP800-53-SI-2(1)Central ManagementSP800-53-SI-2(2)Automated Flaw Remediation StatusSP800-53-SI-2(3)Time to Remediate Flaws and Benchmarks for Corrective ActionsSP800-53-SI-2(4)Automated Patch Management ToolsSP800-53-SI-2(5)Automatic Software and Firmware UpdatesSP800-53-SI-2(6)Removal of Previous Versions of Software and FirmwareSP800-53-SI-2(7)Root Cause AnalysisSP800-53-SI-3Malicious Code ProtectionSP800-53-SI-3(1)Central ManagementSP800-53-SI-3(2)Automatic UpdatesSP800-53-SI-3(3)Non-privileged UsersSP800-53-SI-3(4)Updates Only by Privileged UsersSP800-53-SI-3(5)Portable Storage DevicesSP800-53-SI-3(6)Testing and VerificationSP800-53-SI-3(7)Nonsignature-based DetectionSP800-53-SI-3(8)Detect Unauthorized CommandsSP800-53-SI-3(9)Authenticate Remote CommandsSP800-53-SI-3(10)Malicious Code AnalysisSP800-53-SI-4System MonitoringSP800-53-SI-4(1)System-wide Intrusion Detection SystemSP800-53-SI-4(2)Automated Tools and Mechanisms for Real-time AnalysisSP800-53-SI-4(3)Automated Tool and Mechanism IntegrationSP800-53-SI-4(4)Inbound and Outbound Communications TrafficSP800-53-SI-4(5)System-generated AlertsSP800-53-SI-4(6)Restrict Non-privileged UsersSP800-53-SI-4(7)Automated Response to Suspicious EventsSP800-53-SI-4(8)Protection of Monitoring InformationSP800-53-SI-4(9)Testing of Monitoring Tools and MechanismsSP800-53-SI-4(10)Visibility of Encrypted CommunicationsSP800-53-SI-4(11)Analyze Communications Traffic AnomaliesSP800-53-SI-4(12)Automated Organization-generated AlertsSP800-53-SI-4(13)Analyze Traffic and Event PatternsSP800-53-SI-4(14)Wireless Intrusion DetectionSP800-53-SI-4(15)Wireless to Wireline CommunicationsSP800-53-SI-4(16)Correlate Monitoring InformationSP800-53-SI-4(17)Integrated Situational AwarenessSP800-53-SI-4(18)Analyze Traffic and Covert ExfiltrationSP800-53-SI-4(19)Risk for IndividualsSP800-53-SI-4(20)Privileged UsersSP800-53-SI-4(21)Probationary PeriodsSP800-53-SI-4(22)Unauthorized Network ServicesSP800-53-SI-4(23)Host-based DevicesSP800-53-SI-4(24)Indicators of CompromiseSP800-53-SI-4(25)Optimize Network Traffic AnalysisSP800-53-SI-5Security Alerts, Advisories, and DirectivesSP800-53-SI-5(1)Automated Alerts and AdvisoriesSP800-53-SI-6Security and Privacy Function VerificationSP800-53-SI-6(1)Notification of Failed Security TestsSP800-53-SI-6(2)Automation Support for Distributed TestingSP800-53-SI-6(3)Report Verification ResultsSP800-53-SI-7Software, Firmware, and Information IntegritySP800-53-SI-7(1)Integrity ChecksSP800-53-SI-7(2)Automated Notifications of Integrity ViolationsSP800-53-SI-7(3)Centrally Managed Integrity ToolsSP800-53-SI-7(4)Tamper-evident PackagingSP800-53-SI-7(5)Automated Response to Integrity ViolationsSP800-53-SI-7(6)Cryptographic ProtectionSP800-53-SI-7(7)Integration of Detection and ResponseSP800-53-SI-7(8)Auditing Capability for Significant EventsSP800-53-SI-7(9)Verify Boot ProcessSP800-53-SI-7(10)Protection of Boot FirmwareSP800-53-SI-7(11)Confined Environments with Limited PrivilegesSP800-53-SI-7(12)Integrity VerificationSP800-53-SI-7(13)Code Execution in Protected EnvironmentsSP800-53-SI-7(14)Binary or Machine Executable CodeSP800-53-SI-7(15)Code AuthenticationSP800-53-SI-7(16)Time Limit on Process Execution Without SupervisionSP800-53-SI-7(17)Runtime Application Self-protectionSP800-53-SI-8Spam ProtectionSP800-53-SI-8(1)Central ManagementSP800-53-SI-8(2)Automatic UpdatesSP800-53-SI-8(3)Continuous Learning CapabilitySP800-53-SI-9Information Input RestrictionsSP800-53-SI-10Information Input ValidationSP800-53-SI-10(1)Manual Override CapabilitySP800-53-SI-10(2)Review and Resolve ErrorsSP800-53-SI-10(3)Predictable BehaviorSP800-53-SI-10(4)Timing InteractionsSP800-53-SI-10(5)Restrict Inputs to Trusted Sources and Approved FormatsSP800-53-SI-10(6)Injection PreventionSP800-53-SI-11Error HandlingSP800-53-SI-12Information Management and RetentionSP800-53-SI-12(1)Limit Personally Identifiable Information ElementsSP800-53-SI-12(2)Minimize Personally Identifiable Information in Testing, Training, and ResearchSP800-53-SI-12(3)Information DisposalSP800-53-SI-13Predictable Failure PreventionSP800-53-SI-13(1)Transferring Component ResponsibilitiesSP800-53-SI-13(2)Time Limit on Process Execution Without SupervisionSP800-53-SI-13(3)Manual Transfer Between ComponentsSP800-53-SI-13(4)Standby Component Installation and NotificationSP800-53-SI-13(5)Failover CapabilitySP800-53-SI-14Non-persistenceSP800-53-SI-14(1)Refresh from Trusted SourcesSP800-53-SI-14(2)Non-persistent InformationSP800-53-SI-14(3)Non-persistent ConnectivitySP800-53-SI-15Information Output FilteringSP800-53-SI-16Memory ProtectionSP800-53-SI-17Fail-safe ProceduresSP800-53-SI-18Personally Identifiable Information Quality OperationsSP800-53-SI-18(1)Automation SupportSP800-53-SI-18(2)Data TagsSP800-53-SI-18(3)CollectionSP800-53-SI-18(4)Individual RequestsSP800-53-SI-18(5)Notice of Correction or DeletionSP800-53-SI-19De-identificationSP800-53-SI-19(1)CollectionSP800-53-SI-19(2)ArchivingSP800-53-SI-19(3)ReleaseSP800-53-SI-19(4)Removal, Masking, Encryption, Hashing, or Replacement of Direct IdentifiersSP800-53-SI-19(5)Statistical Disclosure ControlSP800-53-SI-19(6)Differential PrivacySP800-53-SI-19(7)Validated Algorithms and SoftwareSP800-53-SI-19(8)Motivated IntruderSP800-53-SI-20TaintingSP800-53-SI-21Information RefreshSP800-53-SI-22Information DiversitySP800-53-SI-23Information Fragmentation