CM-7(7): Code Execution in Protected Environments

Control Family:

Configuration Management

Parent Control:

CM-7: Least Functionality

CSF v1.1 References:

PR.IP-1
PR.PT-3

Threats Addressed:

Elevation of Privilege

Baselines:

(Not part of any baseline)

Control is new to this version of the control set and incorporates the following control from the previous version: SI-7(13): Code Execution In Protected Environments.

Control Statement

Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is:

Obtained from sources with limited or no warranty; and/or
Without the provision of source code.

Supplemental Guidance

Code execution in protected environments applies to all sources of binary or machine-executable code, including commercial software and firmware and open-source software.

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5