Overview:
Employ the principle of least functionality by configuring the information system to provide only essential capabilities.
Action Items:
3.4.6[a]
Determine if: essential system capabilities are defined based on the principle of least functionality.
3.4.6[b]
Determine if: the system is configured to provide only the defined essential capabilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Configuration management policy; configuration management plan; procedures addressing least functionality in the system; system security plan; system design documentation; system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].
2
Interview: Personnel with security configuration management responsibilities; personnel with information security responsibilities; system or network administrators].
3
Test: Organizational processes prohibiting or restricting functions, ports, protocols, or services; mechanisms implementing restrictions or prohibition of functions, ports, protocols, or services].
Related Documents (document name and content will vary by organization):
1) Configuration management policy
2) configuration management plan
3) procedures addressing least functionality in the system
4) system security plan
5) system design documentation
6) system configuration settings and associated documentation
7) security configuration checklists
8) other relevant documents or records
Additional Guidance:
Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component.
Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and hostbased intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.
Article ID: 145
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-least-functionality-3-4-6-145.html