CM-7(4): Unauthorized Software

CSF v1.1 References:

CSF v2.0 References:

Threats Addressed:


(Not part of any baseline)

Previous Version:

Control Statement

  1. Identify [Assignment: organization-defined software programs not authorized to execute on the system];
  2. Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and
  3. Review and update the list of unauthorized software programs [Assignment: organization-defined frequency].

Supplemental Guidance

Unauthorized software programs can be limited to specific versions or from a specific source. The concept of prohibiting the execution of unauthorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses.