CM.L2-3.4.7 Nonessential Functionality
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
Source: NIST SP 800-171 Rev 2 3.4.7
Discussion: Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.
Assessment Objectives:
Determine if:
- [a] essential programs are defined;
- [b] the use of nonessential programs is defined;
- [c] the use of nonessential programs is restricted, disabled, or prevented as defined;
- [d] essential functions are defined;
- [e] the use of nonessential functions is defined;
- [f] the use of nonessential functions is restricted, disabled, or prevented as defined;
- [g] essential ports are defined;
- [h] the use of nonessential ports is defined;
- [i] the use of nonessential ports is restricted, disabled, or prevented as defined;
- [j] essential protocols are defined;
- [k] the use of nonessential protocols is defined;
- [l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
- [m] essential services are defined;
- [n] the use of nonessential services is defined; and
- [o] the use of nonessential services is restricted, disabled, or prevented as defined.
Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; security plan; system design documentation; system configuration settings and associated documentation; specifications for preventing software program execution; security configuration checklists; documented reviews of programs, functions, ports, protocols, and/or services; change control records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for reviewing programs, functions, ports, protocols, and services on the system; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Organizational processes for reviewing and disabling nonessential programs, functions, ports, protocols, or services; mechanisms implementing review and handling of nonessential programs, functions, ports, protocols, or services; organizational processes preventing program execution on the system; organizational processes for software program usage and restrictions; mechanisms supporting or implementing software program usage and restrictions; mechanisms preventing program execution on the system].
SPRS Score: 5
POA&M Allowed: No