CM-7(5)—Least Functionality
PBMM (P1)
Secret (P1)
Operational
>Control Description
LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE / WHITELISTING (a) The organization identifies ⚙organization-defined software programs authorized to execute on the information system; (b) The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) The organization reviews and updates the list of authorized software programs ⚙organization-defined frequency.
>Supplemental Guidance
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system start-up.
Related controls: CM-2, CM-6, CM-8, SA-10, SC-34, SI-7
>Tailoring Guidance
This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.
Ask AI
Configure your API key to use AI features.