Overview:
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency].
Supplemental Guidance:
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup.
Related controls:CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7.
Action Items:
1) Create and maintain a whitelist of permitted software
2) Deny all execution of unauthorized software
Related Documents:
1) Secure Systems Configuration Policy
Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
CM-7(5) (c) [ at least Annually or when there is a change]
Moderate Additional FedRAMP Requirements and Guidance
none
Article ID: 657
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/authorized-software-and-whitelisting-cm-7-5-657.html