CMMC CM.2.062 - Employ Least Functionality

CMMC CM.2.062 - Employ Least Functionality

Requirement text: CM.2.062: Employ the principle of least functionality by configuring organizational
systems to provide only essential capabilities.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Systems can provide a wide variety of functions and services. Some of the functions and
services routinely provided by default, may not be necessary to support essential
organizational missions, functions, or operations. It is sometimes convenient to provide
multiple services from single system components. However, doing so increases risk over
limiting the services provided by any one component. Where feasible, organizations limit
component functionality to a single function per component.

Organizations review functions and services provided by systems or components of systems,
to determine which functions and services are candidates for elimination. Organizations
disable unused or unnecessary physical and logical ports and protocols to prevent
unauthorized connection of devices, transfer of information, and tunneling. Organizations
can utilize network scanning tools, intrusion detection and prevention systems, and end-
point protections such as firewalls and host-based intrusion detection systems to identify
and prevent the use of prohibited functions, ports, protocols, and services.

CMMC CLARIFICATION
You should customize organizational systems. To do this, remove non-essential applications
and disable services not needed. Systems come with many unnecessary applications and
settings enabled by default. Disable unnecessary software and services. These include
unused ports and protocols. Leave only the fewest capabilities necessary for the systems to
operate effectively.

Example
You know that systems often include unnecessary software and services enabled by default.
You deploy new servers in your organization’s IT environment. Before you do so, you review
each system’s role and minimum required capabilities. You remove software that is not
needed. You disable unused ports and services. You leave only the essential capabilities
enabled for the system to function in its role.

References
• NIST SP 800-171 Rev 1 3.4.6
• NIST CSF v1.1 PR.IP-1, PR.PT-3
• CERT RMM v1.2 TM:SG2.SP2
• NIST SP 800-53 Rev 4 CM-7
• UK NCSC Cyber Essentials

    • Related Articles

    • CMMC AC.2.007 - Employ Least Privilege

      Requirement text: AC.2.007: Employ the principle of least privilege, including for specific security functions and privileged accounts. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Organizations employ the principle of least privilege for ...

    • CMMC CM.4.073 - Employ Application Whitelisting

      Requirement text: CM.4.073: Employ application whitelisting and an application vetting process for systems identified by the organization. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 (MODIFIED) The process used to identify software programs that ...

    • CMMC SC.3.181 - Separate User Functionality from System Management Functionality

      Requirement text: SC.3.181: Separate user functionality from system management functionality. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 System management functionality includes functions necessary to administer databases, network components, ...

    • CMMC CM.2.061 - Establish Baseline System Configuration

      Requirement text: CM.2.061: Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. DISCUSSION FROM ...

    • CMMC CM.2.064 - Enforce System Configuration

      Requirement text: CM.2.064: Establish and enforce security configuration settings for information technology products employed in organizational systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Configuration settings are the set of ...