CM.L2-3.4.6—Least Functionality
Level 2
800-171: 3.4.6
>Control Description
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy for implementing the principle of least functionality?
- •How do you determine essential versus non-essential capabilities for each system?
- •Who approves the set of essential capabilities for each system?
- •How do you review and validate that systems only provide essential capabilities?
Technical Implementation:
- •What methods disable unnecessary capabilities (remove packages, disable services)?
- •How do you technically enforce least functionality in system builds?
- •What hardening procedures remove nonessential functions?
- •What tools verify only essential capabilities are present?
- •What configuration management ensures least functionality is maintained?
Evidence & Documentation:
- •What baseline configuration documentation can you provide?
- •What configuration management plan describes your CM processes?
- •What change request records and approvals can you show?
- •What configuration scanning reports show compliance with baselines?
- •What asset inventory documentation lists all system components?
- •What security configuration benchmarks are applied to systems?
- •What evidence shows configuration changes are tracked and logged?
Ask AI
Configure your API key to use AI features.