Employ application whitelisting and an application vetting process for systems identified by the organization.
The organization has a procedure to validate systems used for processing CUI information and to identify the applications required for CUI processing. The procedure includes the steps a new application must go through to check it is not malicious and there is a business requirement for the application before it is added to the whitelist. The organization has configured their systems (e.g., desktop, laptop, tablet) to check an application has been approved for use (whitelisted) before the application can run. All unapproved applications are, by default blocked from running on the organization’s systems. See practice RM.5.152 for more information on handling non-whitelisted software. Example 1 You are responsible for system security at your organization. An employee asks you to approve a data visualization application they want to use to develop charts in their final report to the sponsor. After you confirm with the project manager that the application is required, you run a script to calculate the MD5 hash value for the executable and submit it to virustotal.com for validation. After confirming the application is safe you add the application to the whitelist. Example 2 You are responsible for system security at your organization. An employee asks you to whitelist an application found through an Internet search. You download a copy of the file and submit it to virustotal.com. You determine that it is malicious. You delete all copies of the application from all of your organizations’s computers and do not add it to the organization’s whitelist.
(MODIFIED From 800-171r2) The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup. This practices requires the use of application whitelisting where feasible. NIST SP 800-167 provides guidance on application whitelisting.
CIS Controls v7.1 2.1, 2.2, 2.6, 2.7, 2.8, 2.9
NIST SP 800-53 Rev 4 CM-7(4), CM-7(5)
NIST CSF v1.1 PR.PT-3
CERT RMM v1.2 TM:SG2.SP2
CMMC modification of NIST SP 800-171 3.4.8