Device Class 1: Least Functionality

Control ID: CM-7 Least Functionality Family: Configuration Management Source: NIST 800-53r4
Control: The organization:
  1. Configures the information system to provide only essential capabilities; and
  2. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
Supplemental Guidance:
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

Related Controls: AC-6, CM-2, RA-5, SA-5, SC-7
Control Enhancements:
(2) Least Functionality | Prevent Program Execution
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
Supplemental Guidance:
Related Controls: N/A
References: N/A
Mechanisms:

  • Device shall expose only those services required to operate (FTP, SSH, telnet, web interface etc.).
  • Device shall enable disabling all system services and applications that are not essential to operation.
  • Device shall support data loss prevention policies.
  • The device shall implement one or both of the following:
    • The device requires that all software installed is signed (corresponding to ongoing privileged access in the language of Notes on Access Control).
      • If this approach is taken, the integrity of the verification key shall be protected by local hardware, either by directly storing the key in local hardware, or by creating a chain of trust from the key to a hardware-protected key. The hardware protection shall be equivalent to FIPS 140-2 level 2, 3 or 4 as specified in Notes on Access Control.
    • The device allows unsigned software to be installed only by an authenticated user with periodic privileged access to the specific resources necessary for program installation, i.e. it does not automatically boot into a state where that access is permitted.
      • If this approach is taken, the device shall require that the authenticated user is authenticated using two-factor authentication and that at least one of the two factors is protected by cryptographic hardware on the device. See IA-2 for further description.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
CM-7/1 Exposes only services required to operate M For each service, why needed
CM-7/2 Provides mechanism for disabling all non-essential system services and applications M
CM-7/3 Supports data loss prevention policies M Describe implementation
CM-7(1)/4 Require that software is signed O1
CM-7(1)/4.1 Use hardware protection to secure a key used to verify software before installation CM-7(1)/1:M
CM-7(1)/5 Only allow software to be installed by a particular user role which is not activated by default on startup O1
CM-7(1)/5.1 Support an approved user authentication mechanism for the user role of updating software CM-7(1)/2:M