CM.L2-3.4.7 Nonessential Functionality

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Source: NIST SP 800-171 Rev 2 3.4.7

Discussion: Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; security plan; system design documentation; system configuration settings and associated documentation; specifications for preventing software program execution; security configuration checklists; documented reviews of programs, functions, ports, protocols, and/or services; change control records; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for reviewing programs, functions, ports, protocols, and services on the system; personnel with information security responsibilities; system or network administrators; system developers].

Test: [SELECT FROM: Organizational processes for reviewing and disabling nonessential programs, functions, ports, protocols, or services; mechanisms implementing review and handling of nonessential programs, functions, ports, protocols, or services; organizational processes preventing program execution on the system; organizational processes for software program usage and restrictions; mechanisms supporting or implementing software program usage and restrictions; mechanisms preventing program execution on the system].

SPRS Score: 5

POA&M Allowed: No