Back to Control Explorer



Control Acronym



Configuration Management

CMMC Level


800-171 Control #


CMMC Description

Control and monitor user-installed software.

CMMC Clarification

You should limit installed software to items that the organization approved. Users will install software that creates unnecessary risk. This risk applies both to the machine and to the larger operating environment. You should control the software users can install. You should put in place policies and technical controls that can reduce risk to the organization. Example You are the IT administrator for your company. A user calls you for help installing a software package. He keeps receiving a message asking for a password. The user receives the message because he does not have permission to install the software. You explain the organization’s policy. It prohibits users from installing software without approval. When you set up workstations for users, you do not provide administrative privileges. You make an exception only if a user needs administrative access to do his job. After the call, you redistribute the policy to all users ensuring everyone in the organization is aware of the restrictions.

800-171 Description

Control and monitor user- installed software.

800-171 Discussion

Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.

Other Source Discussion


CIS Control References

CIS Controls v7.1 2.1, 2.2, 2.6

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 CM-11

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.4.9

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

CM.2.063.[a] a policy for controlling the installation of software by users is established;

Assessment Sub-Criteria 2

CM.2.063.[b] installation of software by users is controlled based on the established policy; and

Assessment Sub-Criteria 3

CM.2.063.[c] installation of software by users is monitored.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15