CM-07 Least Functionality

Baselines

Guidance

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2 , and SC-3).

References 5

• FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
• FIPS 180-4 National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4.
• FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
• FIPS 202 National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202.
• SP 800-167 Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167.

Control Enhancements 9

• CM-07(01) Periodic Review L M H P
• CM-07(02) Prevent Program Execution L M H P
• CM-07(03) Registration Compliance L M H P
• CM-07(04) Unauthorized Software — Deny-by-exception L M H P
• CM-07(05) Authorized Software — Allow-by-exception L M H P
• CM-07(06) Confined Environments with Limited Privileges L M H P
• CM-07(07) Code Execution in Protected Environments L M H P
• CM-07(08) Binary or Machine Executable Code L M H P
• CM-07(09) Prohibiting The Use of Unauthorized Hardware L M H P

Related controls 17

• AC-03 Access Enforcement L M H P
• AC-04 Information Flow Enforcement L M H P
• CM-02 Baseline Configuration L M H P
• CM-05 Access Restrictions for Change L M H P
• CM-06 Configuration Settings L M H P
• CM-11 User-installed Software L M H P
• RA-05 Vulnerability Monitoring and Scanning L M H P
• SA-04 Acquisition Process L M H P
• SA-05 System Documentation L M H P
• SA-08 Security and Privacy Engineering Principles L M H P
• SA-09 External System Services L M H P
• SA-15 Development Process, Standards, and Tools L M H P
• SC-02 Separation of System and User Functionality L M H P
• SC-03 Security Function Isolation L M H P
• SC-07 Boundary Protection L M H P
• SC-37 Out-of-band Channels L M H P
• SI-04 System Monitoring L M H P