CM-7(4): Unauthorized Software / Blacklisting

CSF v1.1 References:

Threats Addressed:


  • Moderate

Next Version:

Control Statement

The organization:

  1. Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
  2. Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
  3. Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].

Supplemental Guidance

The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution.