NIST 800-171 - Disable Unnecessary Components (3.4.7)
Overview:
Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
Action Items:
3.4.7[a]
Determine if: essential programs are defined.
3.4.7[b]
Determine if: the use of nonessential programs is defined.
3.4.7[c]
Determine if: the use of nonessential programs is restricted, disabled, or prevented as defined.
3.4.7[d]
Determine if: essential functions are defined.
3.4.7[e]
Determine if: the use of nonessential functions is defined.
3.4.7[f]
Determine if: the use of nonessential functions is restricted, disabled, or prevented as defined.
3.4.7[g]
Determine if: essential ports are defined.
3.4.7[h]
Determine if: the use of nonessential ports is defined.
3.4.7[i]
Determine if: the use of nonessential ports is restricted, disabled, or prevented as defined.
3.4.7[j]
Determine if: essential protocols are defined.
3.4.7[k]
Determine if: the use of nonessential protocols is defined.
3.4.7[l]
Determine if: the use of nonessential protocols is restricted, disabled, or prevented as defined.
3.4.7[m]
Determine if: essential services are defined.
3.4.7[n]
Determine if: the use of nonessential services is defined.
3.4.7[o]
Determine if: the use of nonessential services is restricted, disabled, or prevented as defined.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system security plan; system design documentation; security configuration checklists; system configuration settings and associated documentation; specifications for preventing software program execution; documented reviews of programs, functions, ports, protocols, and/or services; change control records; system audit logs and records; other relevant documents or records].
2
Interview: Personnel with responsibilities for reviewing programs, functions, ports, protocols, and services on the system; personnel with information security responsibilities; system or network administrators; system developers].
3
Test: Organizational processes for reviewing and disabling nonessential programs, functions, ports, protocols, or services; mechanisms implementing review and handling of nonessential programs, functions, ports, protocols, or services; organizational processes preventing program execution on the system; organizational processes for software program usage and restrictions; mechanisms supporting or implementing software program usage and restrictions; mechanisms preventing program execution on the system].
Related Documents (document name and content will vary by organization):
1) Configuration management policy
2) procedures addressing least functionality in the system
3) configuration management plan
4) system security plan
5) system design documentation
6) security configuration checklists
7) system configuration settings and associated documentation
8) specifications for preventing software program execution
9) documented reviews of programs, functions, ports, protocols, and/or services
10) change control records
11) system audit logs and records
12) other relevant documents or records
Additional Guidance:
Restricting the use of nonessential software (programs) includes, for example, restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time.