3.13.4 — No Data Leaks Through Shared Resources
What It Says
Section titled “What It Says”Prevent unauthorized and unintended information transfer via shared system resources.
What It Actually Means
Section titled “What It Actually Means”On multi-user systems (shared servers, VDI, terminal servers), data can leak between sessions through:
- Temp directories — if all users share the same temp folder, one user’s cached CUI documents are visible to another
- Clipboard — in VDI environments, clipboard sharing between sessions can move CUI outside the controlled environment
- Shared memory — processes running in shared memory space can potentially access each other’s data
- Page/swap files — CUI data written to disk by the OS as part of memory management
For most modern single-user workstations, the OS handles process isolation well. The risk is concentrated in shared environments: VDI, terminal servers, multi-user applications, and shared databases.
The assessor will focus on your shared environments. If you don’t have any multi-user systems, document that in your SSP and this may be straightforward to satisfy.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Is unauthorized information transfer via shared system resources prevented? | Process isolation, per-user temp dirs, clipboard restrictions in place |
| 2 | Are shared system resources configured to prevent unintended data exposure? | VDI clipboard policies, temp directory permissions, swap file encryption |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: System and communications protection policy; system security plan; system design documentation; system configuration settings showing shared resource protections
People they’ll talk to: System or network administrators; personnel with information security responsibilities; system developers
Live demos they’ll ask for: Mechanisms preventing unauthorized information transfer through shared resources
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Do you have any multi-user systems — VDI, terminal servers, shared workstations?”
- “How are temp directories configured on shared systems? Per-user or shared?”
- “Is clipboard sharing enabled in your VDI environment?”
- “How do you prevent data leakage through page/swap files?”
- “Show me the temp directory permissions on a shared server.”
Where Companies Trip Up
Section titled “Where Companies Trip Up”Shared temp directories on servers. All users writing to C:\Temp. Configure per-user temp directories via Group Policy.
VDI clipboard sharing enabled. Users can copy CUI text from the VDI session and paste it on their personal device. Disable clipboard redirection for CUI sessions.
Drive mapping in VDI. Users can map their personal USB drive into the VDI session and copy CUI out. Disable drive redirection.
No swap file encryption. CUI data written to swap/page file in plain text. Enable BitLocker to encrypt the entire volume including swap.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.1.3 — Where CUI Can Flow | Shared resources are a CUI flow path that must be controlled |
| 3.13.16 — Encrypt CUI at Rest | Encryption protects CUI in swap/page files |
Implementation (coming soon)
Section titled “Implementation (coming soon)”Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.
CMMC Practice ID: SC.L2-3.13.4 | SPRS Weight: 1 point | POA&M Eligible: Yes