Control Framework

EXE: Execution Security

The Execution Security domain isolates agent processes and limits resource consumption. Five controls address process isolation, resource limits, and containment.

EXE-01 Process Isolation

Requirement: Agent execution environments shall be isolated from other processes and system resources.

Rationale: Contains impact of agent compromise to the isolated environment.

Evidence: Isolation configuration (containers, VMs, sandboxes).

Profile: Essential

EXE-02 Resource Limits

Requirement: Agent execution shall be subject to defined limits on CPU, memory, network, and storage consumption.

Rationale: Prevents resource exhaustion attacks and contains runaway processes.

Evidence: Resource limit configuration and enforcement logs.

Profile: Standard

EXE-03 Network Segmentation

Requirement: Agent execution environments shall have network access restricted to explicitly authorized destinations.

Rationale: Prevents lateral movement and unauthorized external communication.

Evidence: Firewall rules and network policy configuration.

Profile: Standard

EXE-04 Filesystem Restrictions

Requirement: Agent write access to filesystems shall be limited to designated directories.

Rationale: Prevents unauthorized modification of system files or other applications.

Evidence: Filesystem permission configuration.

Profile: Elevated

EXE-05 Code Execution Controls

Requirement: Agent ability to execute arbitrary code shall be disabled unless explicitly required and subject to additional controls.

Rationale: Reduces attack surface by limiting execution capabilities.

Evidence: Code execution policy and configuration.

Profile: Critical

Previous
VAL: Input Validation
Next
OBS: Observability