03.04.06—Least Functionality
>Control Description
Configure the system to provide only mission-essential capabilities. Prohibit or restrict use of the following functions, ports, protocols, connections, and services: ⚙organization-defined functions, ports, protocols, connections, and services. Review the system ⚙organization-defined frequency to identify unnecessary or nonsecure functions, ports, protocols, connections, and services. Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What documented policies and procedures address 03.04.06?
- •Who is accountable for implementing and maintaining 03.04.06 controls?
- •How frequently are 03.04.06 requirements reviewed, and what triggers updates?
- •What process ensures changes to systems maintain compliance with 03.04.06 requirements?
- •How are exceptions to 03.04.06 requirements documented and approved?
Technical Implementation:
- •What technical controls enforce 03.04.06 in your environment?
- •How are 03.04.06 controls configured and maintained across all systems?
- •What automated mechanisms support 03.04.06 compliance?
- •How do you validate that 03.04.06 implementations achieve their intended security outcome?
- •What compensating controls exist if primary 03.04.06 controls cannot be fully implemented?
Evidence & Documentation:
- •What documentation proves 03.04.06 is implemented and operating effectively?
- •Can you provide configuration evidence showing how 03.04.06 is technically enforced?
- •What audit logs or monitoring data demonstrate ongoing 03.04.06 compliance?
- •Can you show evidence of a recent review or assessment of 03.04.06 controls?
- •What artifacts would you provide during an assessment to demonstrate 03.04.06 compliance?
Ask AI
Configure your API key to use AI features.