Skip to Content

Least Functionality CM-7

654  Matthew Burdick September 29, 2022  Configuration Management (CM)

Overview:
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].


Supplemental Guidance:
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.


Related controls:AC-6, CM-2, RA-5, SA-5, SC-7.


Action Items:
1) Ensure only essential components and services are enabled on systems

2) Create a list of restricted components and services for systems

 

Related Documents:
1) Secure Systems Configuration Policy

2) Vulnerability Management Policy


Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
CM-7 (b) [United States Government Configuration Baseline (USGCB)]


Moderate Additional FedRAMP Requirements and Guidance
CM-7 (b) Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.
CM-7. Guidance: Information on the USGCB checklists can be found at:
http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc
(Partially derived from AC-17(8).)
Not Rated
Secure Code