Requirement text: CM.3.068: Restrict, disable, or prevent the use of nonessential programs, functions,
ports, protocols, and services.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Restricting the use of nonessential software (programs) includes restricting the roles
allowed to approve program execution; prohibiting auto-execute; program blacklisting and
whitelisting; or restricting the number of program instances executed at the same time. The
organization makes a security-based determination which functions, ports, protocols,
and/or services are restricted. Bluetooth, FTP, and peer-to-peer networking are examples
of protocols organizations consider preventing the use of, restricting, or disabling.
CMMC CLARIFICATION
Organizations should only use the minimum set of programs, services, ports, and protocols
required for to accomplish the organization's mission. This has several implications:
• All unnecessary programs and accounts are removed from all endpoints and servers.
• The organization makes a policy decision to control the execution of programs
through either whitelisting or blacklisting. Whitelisting means a program can only
run if the software has been vetted in some way, and the executable name has been
entered onto a list of allowed software. Blacklisting means any software can execute
as long it is not on a list of known malicious software. Whitelisting provides far more
security than blacklisting, but the organization's policy can direct the implementation
of either approach. Control of execution applies to both servers and endpoints.
• The organization restricts the use of all unnecessary ports, protocols, and system
services in order to limit entry points that attackers can use. For example the use of
the FTP service is eliminated from all computers, and the associated ports are blocked
unless a required service utilizes those ports. The elimination of nonessential
functionality on the network and systems provides a smaller attack surface for an
attacker to gain access and take control of your network or systems.
Example
You are responsible for purchasing new endpoint hardware, installing organizationally
required software to the hardware, and configuring the endpoint in accordance with the
organization's policy, The organization has a system imaging capability that loads all
necessary software, but it does not remove unnecessary services, eliminate the use of certain
protocols, or close unused ports. After imaging the systems you close all ports and block the
use of all protocols except the following:
• TCP for SSH on port 22;
• SMTP on port 25;
• TCP and UDP on port 53; and
• HTTP and HTPS on port 443.
The use of any other ports or protocols are allowed by exception only.
References
• NIST SP 800-171 Rev 1 3.4.7
• CIS Controls v7.1 9.2, 9.4, 12.4
• NIST CSF v1.1 PR.IP-1, PR.PT-3
• CERT RMM v1.2 TM:SG2.SP2
• NIST SP 800-53 Rev 4 CM-7(1), CM-7(2)
• UK NCSC Cyber Essentials