Heterogeneity
System and Communications Protection
NIST Control Text
Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components].
NIST Discussion
Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations.
Parameter Values
Assignment (system components): Inline network encryptors at facility boundaries (at least two encryptors from different suppliers per inter-facility connection)
SL5 Supplemental Guidance
The organization deploys at least two inline network encryptors from different suppliers in series for each inter-facility connection, consistent with the NSA “Rule of Two” [14]. Different suppliers means different manufacturers or companies producing the encryptors. This heterogeneity protects against supplier-specific implementation vulnerabilities in firmware, hardware design, key management implementations, or protocol handling.