NIST 800-172_3.13.1e

NIST 800-172



Create diversity in [Assignment: organization-defined system components] to reduce the extent of malicious code propagation.

Organizations often use homogenous information technology environments to reduce costs and to simplify administration and use. However a homogenous environment can also facilitate the work of the APT as it allows for common mode failures and the propagation of malicious code across identical system components (i.e. hardware software and firmware). In these environments adversary tactics techniques and procedures (TTP) that work on one instantiation of a system component will work equally well on other identical instantiations of the component regardless of how many times such components are replicated or how far away they may be placed in the architecture. Increasing diversity within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures including those failures induced by supply chain attacks. Diversity also reduces the likelihood that the TTP adversaries use to compromise one system component will be effective against other system components thus increasing the adversary’s work factor to successfully complete the planned attacks. A heterogeneous or diverse information technology environment makes the task of propagating malicious code more difficult as the adversary needs to develop and deploy different TTP for the diverse components. Satisfying this requirement does not mean that organizations need to acquire and manage multiple versions of operating systems applications tools and communication protocols. However the use of diversity in certain critical organizationally determined system components can be an effective countermeasure against the APT. In addition organizations may already be practicing diversity although not to counter the APT. For example it is common for organizations to employ diverse anti-virus products at different parts of their infrastructure simply because each vendor may issue updates to new malicious code patterns at different times and frequencies. Similarly some organizations employ products from one vendor at the server level and products from another vendor at the end-user level. Another example of diversity occurs in products that provide address space layout randomization (ASLR). Such products introduce a form of synthetic diversity by transforming the implementations of common software to produce a variety of instances. Finally organizations may choose to use multiple virtual private network (VPN) vendors tunneling one vendor’s VPN within another vendor’s VPN. Smaller organizations may find that achieving diversity in system components is challenging and perhaps not practical. Organizations also consider the vulnerabilities that may be introduced into the system by the employment of diverse system components. [SP 800-160-1] provides guidance on security engineering practices and security design concepts. [SP 800-160-2] provides guidance on developing cyber resilient systems and system components. [SP 800-161] provides guidance on supply chain risk management.


Click here to Start your FREE trial today!

Explainer video


What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video