CMMC CM.2.063 - Control User Software

CMMC CM.2.063 - Control User Software

Requirement text: CM.2.063: Control and monitor user-installed software.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Users can install software in organizational systems if provided the necessary privileges. To
maintain control over the software installed, organizations identify permitted and
prohibited actions regarding software installation through policies. Permitted software
installations include updates and security patches to existing software and applications from
organization-approved “app stores.” Prohibited software installations may include software
with unknown or suspect pedigrees or software that organizations consider potentially
malicious. The policies organizations select governing user-installed software may be
organization-developed or provided by some external entity. Policy enforcement methods
include procedural methods, automated methods, or both.

CMMC CLARIFICATION
You should limit installed software to items that the organization approved. Users will
install software that creates unnecessary risk. This risk applies both to the machine and to
the larger operating environment. You should control the software users can install. You
should put in place policies and technical controls that can reduce risk to the organization.

Example
You are the IT administrator for your company. A user calls you for help installing a software
package. He keeps receiving a message asking for a password. The user receives the
message because he does not have permission to install the software. You explain the
organization’s policy. It prohibits users from installing software without approval. When
you set up workstations for users, you do not provide administrative privileges. You make
an exception only if a user needs administrative access to do his job. After the call, you
redistribute the policy to all users ensuring everyone in the organization is aware of the
restrictions.

References
• NIST SP 800-171 Rev 1 3.4.9
• CIS Controls v7.1 2.1, 2.2, 2.6
• NIST CSF v1.1 DE.CM-3
• CERT RMM v1.2 MON:SG2.SP3
• NIST SP 800-53 Rev 4 CM-11

    • Related Articles

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...

    • CMMC CM.3.069 - Deny Unauthorized Software`

      Requirement text: CM.3.069: Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. DISCUSSION FROM SOURCE: DRAFT ...

    • CMMC CM.5.074 - Verify Software Integrity

      Requirement text: CM.5.074: Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures). DISCUSSION FROM SOURCE: DRAFT NIST SP ...

    • CMMC AU.2.041 - Ensure System User Attribution

      Requirement text: AU.2.041: Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement ensures that the ...

    • CMMC AC.3.019 - Terminate User Sessions

      Requirement text: AC.3.019: Terminate (automatically) user sessions after a defined condition. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement addresses the termination of user-initiated logical sessions in contrast to the ...