CM-07 Least Functionality

a. Configure the system to provide only cm-07_odp.01 ; and

b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: cm-7_prm_2.

Parameter ID Definition
cm-7_prm_2 organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services
cm-07_odp.01 mission-essential capabilities
cm-07_odp.02 functions
cm-07_odp.03 ports
cm-07_odp.04 protocols
cm-07_odp.05 software
cm-07_odp.06 services

Baselines

Guidance

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2 , and SC-3).

References 5

Control Enhancements 9

Related controls 17