Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.4 – Prevent unauthorized and unintended information transfer via shared system resources.
Understanding the Requirement
This control requires preventing data left behind in shared system resources from being exposed to subsequent users or processes — a concept often called object reuse and residual information protection. The objective is simple: ensure that information produced by prior users (files, memory, temporary storage, or disk blocks) is not available to current users or roles. Practically, that means configuring operating systems, virtual machines, and storage to sanitize or isolate resources before they are reassigned or reused.
Technical Implementation
-
Use certified operating systems and validated images: Before deploying any OS or system image, verify its security capabilities (for example, whether it supports object reuse/residual information protections) and use a small set of approved, hardened images. For SMBs, maintain an official image library that includes secure configuration settings and is rebuilt regularly from a trusted source.
-
Enforce secure provisioning and automated wipe processes: Implement automated provisioning workflows (PXE, image deployment, or cloud automation) that always install a clean image rather than cloning live disks. When decommissioning or reassigning devices, run an automated secure-erase or cryptographic wipe to remove residual data from disks and shared storage.
-
Configure memory and temporary file handling: Enable OS and application settings that zero out freed memory and securely delete temporary files. For example, ensure swap or pagefile encryption and configure systems to clear swap on shutdown; set web servers and apps to use secure temp directories that are cleaned between sessions.
-
Isolate shared resources using virtualization and access controls: For virtualized environments, use separate virtual disks for tenants or roles and enforce hypervisor-level tools that zero or replace virtual disk blocks before reallocation. Apply strict access controls and quotas on shared storage to reduce the need for reuse and minimize exposure.
-
Use full-disk encryption and key management: When full-disk or volume encryption is applied with proper key management, residual data on repurposed media is protected unless keys are exposed. Combine encryption with secure key destruction procedures when repurposing devices.
-
Document and audit: Create a short, actionable policy that requires use of approved images, specifies wiping tools and procedures, and assigns responsibility to system administrators. Schedule periodic audits and spot checks to confirm devices and storage are sanitized before reuse.
Example in a Small or Medium Business
A mid-sized engineering firm needs to redeploy several laptop and server systems as project teams rotate. A system administrator proposes using an obscure Linux distribution because it’s lightweight, but before approving, the IT lead checks the Common Criteria and the firm’s approved-image inventory. The OS isn’t certified and does not document object reuse protections, so the team decides not to deploy it. Instead, they select a certified enterprise image from their approved list, apply the firm’s hardened baseline, and enroll the machines in their automated provisioning system. When users finish with a machine, the provisioning workflow performs a cryptographic wipe of the disk and resets the machine from the clean image; swap and temporary files are cleared as part of shutdown scripts. For virtual machines used in shared development environments, the firm configures the hypervisor to zero virtual disk blocks before assigning them to a new VM and requires per-project storage namespaces. The IT manager documents the process, trains the system administrators, and schedules quarterly checks to verify that wipes and image deployments are happening as expected.
Summary
Combining policy and technical controls — approving and using certified OS images, automated provisioning that deploys clean images, secure erase/sanitization procedures, memory and temp-file handling, isolation in virtualized systems, and encryption with proper key practices — prevents unauthorized or unintended information transfers via shared resources. For SMBs, keep the implementation focused: limit approved images, automate wipes and provisioning, assign clear responsibilities, and audit regularly. These steps make residual data risks manageable without large teams or complex tooling.
