Back to Control Explorer



Control Acronym



Configuration Management

CMMC Level


800-171 Control #


CMMC Description

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

CMMC Clarification

You should customize organizational systems. To do this, remove non-essential applications and disable services not needed. Systems come with many unnecessary applications and settings enabled by default. Disable unnecessary software and services. These include unused ports and protocols. Leave only the fewest capabilities necessary for the systems to operate effectively. Example You know that systems often include unnecessary software and services enabled by default. You deploy new servers in your organization’s IT environment. Before you do so, you review each system’s role and minimum required capabilities. You remove software that is not needed. You disable unused ports and services. You leave only the essential capabilities enabled for the system to function in its role.

800-171 Description

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

800-171 Discussion

Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component.Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

Other Source Discussion


CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 CM-7

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.4.6

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.IP-1, PR.PT-3

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

UK NCSC Cyber Essentials

AS ACSC Reference


Assessment Sub-Criteria 1

CM.2.062.[a] essential system capabilities are defined based on the principle of least functionality; and

Assessment Sub-Criteria 2

CM.2.062.[b] the system is configured to provide only the defined essential capabilities.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15