Automated mechanisms exist to dynamically isolate (e.g., sandbox) untrusted components during runtime, where the component is isolated in a fault-contained environment but it can still collaborate with the application.
Mechanisms exist to employ boundary protections to isolate systems, services and processes that support critical missions and/or business functions.
Mechanisms exist to implement separate network addresses (e.g., different subnets) to connect to systems in different security domains.
Mechanisms exist to design, implement and review firewall and router configurations to restrict connections between untrusted networks and internal systems.
Mechanisms exist to configure firewall and router configurations to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
Mechanisms exist to associate security attributes with information, source and destination objects to enforce defined information flow control configurations as a basis for flow control decisions.
Mechanisms exist to prevent encrypted data from bypassing content-checking mechanisms.
Mechanisms exist to enforce limitations on embedding data within other data types.
Mechanisms exist to enforce information flow controls based on metadata.
Mechanisms exist to enforce the use of human reviews for Access Control Lists (ACLs) and similar rulesets on a routine basis.
Passcode