CM-7(1): Periodic Review

Control Family:

Configuration Management

Parent Control:

CM-7: Least Functionality

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

PR.IP-1
PR.PT-3

Threats Addressed:

Elevation of Privilege

Baselines:

Moderate
High

Next Version:

NIST Special Publication 800-53 Revision 5:
CM-7(1): Periodic Review

Control Statement

The organization:

Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].

Supplemental Guidance

The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.

Control Statement

Supplemental Guidance

Related Controls

Critical Security Controls Version 8

Critical Security Controls Version 7.1