CM-7: Least Functionality

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:

Threats Addressed:

Baselines:

Previous Version:

Control Statement

  1. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
  2. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

Supplemental Guidance

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).

Control Enhancements

CM-7(1): Periodic Review

Baseline(s):

  • Moderate
  • High

Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure].

CM-7(2): Prevent Program Execution

Baseline(s):

  • Moderate
  • High

Prevent program execution in accordance with [Assignment (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions] , rules authorizing the terms and conditions of software program usage].

CM-7(3): Registration Compliance

Baseline(s):

(Not part of any baseline)

Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].

CM-7(4): Unauthorized Software

Baseline(s):

(Not part of any baseline)

Identify [Assignment: organization-defined software programs not authorized to execute on the system]; Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and Review and update the list of unauthorized software programs [Assignment: organization-defined frequency].

CM-7(5): Authorized Software

Baseline(s):

  • Moderate
  • High

Identify [Assignment: organization-defined software programs authorized to execute on the system]; Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and Review and update the list of authorized software programs [Assignment: organization-defined frequency].

CM-7(6): Confined Environments with Limited Privileges

Baseline(s):

(Not part of any baseline)

Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software].

CM-7(7): Code Execution in Protected Environments

Baseline(s):

(Not part of any baseline)

Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is: Obtained from sources with limited or no warranty; and/or Without the provision of source code.

CM-7(8): Binary or Machine Executable Code

Baseline(s):

(Not part of any baseline)

Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.

CM-7(9): Prohibiting The Use of Unauthorized Hardware

Baseline(s):

(Not part of any baseline)

Identify [Assignment: organization-defined hardware components authorized for system use]; Prohibit the use or connection of unauthorized hardware components; Review and update the list of authorized hardware components [Assignment: organization-defined frequency].