Organizational Control: Least Functionality

Control ID: CM-7 Least Functionality Family: Configuration Management Source: NIST 800-53r4
Control: The organization:
  1. Configures the information system to provide only essential capabilities; and
  2. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
Supplemental Guidance:
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

Related Controls: AC-6, CM-2, RA-5, SA-5, SC-7
Control Enhancements:
(1) Least Functionality | Periodic Review
The organization:
  1. Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
  2. Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].

Supplemental Guidance: The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.
Related Controls: CM-7, CM-8, IA-2, AC-18

(4) Least Functionality | Unauthorized Software / Blacklisting
The organization:
  1. Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
  2. Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
  3. Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].

Supplemental Guidance: The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution.
Related Controls: CM-6, CM-8, PM-5
References: DoD Instruction 8551.01.
Mechanisms:

Protocol Implementation Conformance Statements: N/A