CM.3.068

Control Acronym

CM

Family

Configuration Management

CMMC Level

3

800-171 Control #

3.4.7

CMMC Description

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

CMMC Clarification

Organizations should only use the minimum set of programs, services, ports, and protocols required for to accomplish the organization's mission. This has several implications: * All unnecessary programs and accounts are removed from all endpoints and servers. * The organization makes a policy decision to control the execution of programs through either whitelisting or blacklisting. Whitelisting means a program can only run if the software has been vetted in some way, and the executable name has been entered onto a list of allowed software. Blacklisting means any software can execute as long it is not on a list of known malicious software. Whitelisting provides far more security than blacklisting, but the organization's policy can direct the implementation of either approach. Control of execution applies to both servers and endpoints. * The organization restricts the use of all unnecessary ports, protocols, and system services in order to limit entry points that attackers can use. For example the use of the FTP service is eliminated from all computers, and the associated ports are blocked unless a required service utilizes those ports. The elimination of nonessential functionality on the network and systems provides a smaller attack surface for an attacker to gain access and take control of your network or systems. Example You are responsible for purchasing new endpoint hardware, installing organizationally required software to the hardware, and configuring the endpoint in accordance with the organization's policy, The organization has a system imaging capability that loads all necessary software, but it does not remove unnecessary services, eliminate the use of certain protocols, or close unused ports. After imaging the systems you close all ports and block the use of all protocols except the following: • * TCP for SSH on port 22 * SMTP on port 25 * TCP and UDP on port 53 * HTTP and HTTPS on port 443. * The use of any other ports or protocols are allowed by exception only.

800-171 Description

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

800-171 Discussion

Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 9.2, 9.4, 12.4

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 CM-7(1), CM-7(2)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.4.7

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.IP-1, PR.PT-3

CERT RMM Reference

CERT RMM v1.2 TM:SG2.SP2

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

UK NCSC Cyber Essentials

AS ACSC Reference

Assessment Sub-Criteria 1

CM.3.068.[a] essential programs are defined;

Assessment Sub-Criteria 2

CM.3.068.[b] the use of nonessential programs is defined;

Assessment Sub-Criteria 3

CM.3.068.[c] the use of nonessential programs is restricted, disabled, or prevented as defined;

Assessment Sub-Criteria 4

CM.3.068.[d] essential functions are defined;

Assessment Sub-Criteria 5

CM.3.068.[e] the use of nonessential functions is defined;

Assessment Sub-Criteria 6

CM.3.068.[f] the use of nonessential functions is restricted, disabled, or prevented as defined;

Assessment Sub-Criteria 7

CM.3.068.[g] essential ports are defined;

Assessment Sub-Criteria 8

CM.3.068.[h] the use of nonessential ports is defined;

Assessment Sub-Criteria 9

CM.3.068.[i] the use of nonessential ports is restricted, disabled, or prevented as defined;

Assessment Sub-Criteria 10

CM.3.068.[j] essential protocols are defined;

Assessment Sub-Criteria 11

CM.3.068.[k] the use of nonessential protocols is defined;

Assessment Sub-Criteria 12

CM.3.068.[l] the use of nonessential protocols is restricted, disabled, or prevented as defined;

Assessment Sub-Criteria 13

CM.3.068.[m] essential services are defined;

Assessment Sub-Criteria 14

CM.3.068.[n] the use of nonessential services is defined; and

Assessment Sub-Criteria 15

CM.3.068.[o] the use of nonessential services is restricted, disabled, or prevented as defined.