Overview:
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
Supplemental Guidance:
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.
Related controls:AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.
Action Items:
1) Create and Acceptable Use Policy that covers software installation
2) Enforce the policy through technical means if possible
Related Documents:
1) Secure Systems Configuration Policy
2) Acceptable Use Policy
Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
CM-11 (c) [Continuously (via CM-7 (5))]
Moderate Additional FedRAMP Requirements and Guidance
none
Article ID: 665
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/user-installed-software-cm-11-665.html