>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.4.6Configuration Management - Derived

Derived Requirement

>Control Description

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

>Discussion

Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components.

However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination.

Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

>Cross-Framework Mappings

CMMC

CM.L2-3.4.6
Compare

SCF

CFG-03
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern least functionality for information systems?
  • What procedures identify and disable unnecessary functions?
  • How do you determine which functions are essential vs unnecessary?
  • Who approves decisions about required functionality?
  • What governance ensures prohibited functions remain disabled?

Technical Implementation:

  • How do you implement least functionality technically?
  • What unnecessary services, ports, and protocols are disabled?
  • How do you prevent installation of unauthorized software?
  • What application whitelisting controls are deployed?
  • What scanning identifies unnecessary or prohibited functions?

Evidence & Documentation:

  • Can you provide lists of approved functions and disabled services?
  • What scan results show only necessary functions are enabled?
  • Can you demonstrate prohibited functions are disabled?
  • What evidence shows application whitelisting enforcement?
  • What audit findings verify least functionality compliance?

Ask AI

Configure your API key to use AI features.