DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
The process used to identify software programs that are not authorized to execute on
systems is commonly referred to as blacklisting. The process used to identify software
programs that are authorized to execute on systems is commonly referred to as whitelisting.
Whitelisting is the stronger of the two policies for restricting software program execution.
In addition to whitelisting, organizations consider verifying the integrity of whitelisted
software programs using, for example, cryptographic checksums, digital signatures, or hash
functions. Verification of whitelisted software can occur either prior to execution or at
system startup.
CMMC CLARIFICATION
Organizations should determine their blacklisting or whitelisting policy and configure the
system to manage software that is allowed to run. Blacklisting or deny-by-exception allows
all software to run except if on an unauthorized software list. Whitelisting or permit-by-
exception does not allow any software to run except if on an authorized software list. The
stronger policy of the two is whitelisting.
Example
You are in charge of managing the IT infrastructure within your organization. To provide
better protection for your company you have decided to take a whitelist approach. With
additional research you identify a capability within the latest operating system that can
control executables, scripts, libraries, or application installers run in your environment. To
ensure success you begin by authorizing digitally signed executables. Once deployed you
then plan to evaluate and deploy whitelisting for software libraries and scripts.
References
• NIST SP 800-171 Rev 1 3.4.8
• CIS Controls v7.1 2.1, 2.2, 2.6, 2.7, 2.8, 2.9
• NIST CSF v1.1 PR.PT-3
• CERT RMM v1.2 TM:SG2.SP2
• NIST SP 800-53 Rev 4 CM-7(4), CM-7(5)
• UK NCSC Cyber Essentials