Requirement text: CM.4.073: Employ application whitelisting and an application vetting process for
systems identified by the organization.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 (MODIFIED)
The process used to identify software programs that are not authorized to execute on
systems is commonly referred to as blacklisting. The process used to identify software
programs that are authorized to execute on systems is commonly referred to as whitelisting.
Whitelisting is the stronger of the two policies for restricting software program execution.
In addition to whitelisting, organizations consider verifying the integrity of whitelisted
software programs using, for example, cryptographic checksums, digital signatures, or hash
functions. Verification of whitelisted software can occur either prior to execution or at
system startup. This practices requires the use of application whitelisting where feasible.
NIST SP 800-167 provides guidance on application whitelisting.
CMMC CLARIFICATION
The organization has a procedure to validate systems used for processing CUI information
and to identify the applications required for CUI processing. The procedure includes the
steps a new application must go through to check it is not malicious and there is a business
requirement for the application before it is added to the whitelist. The organization has
configured their systems (e.g., desktop, laptop, tablet) to check an application has been
approved for use (whitelisted) before the application can run. All unapproved applications
are, by default blocked from running on the organization’s systems. See practice RM.5.152
for more information on handling non-whitelisted software.
Example 1
You are responsible for system security at your organization. An employee asks you to
approve a data visualization application they want to use to develop charts in their final
report to the sponsor. After you confirm with the project manager that the application is
required, you run a script to calculate the MD5 hash value for the executable and submit it
to virustotal.com for validation. After confirming the application is safe you add the
application to the whitelist.
Example 2
You are responsible for system security at your organization. An employee asks you to
whitelist an application found through an Internet search. You download a copy of the file
and submit it to virustotal.com. You determine that it is malicious. You delete all copies of
the application from all of your organizations’s computers and do not add it to the
organization’s whitelist.
References
• CMMC modification of NIST SP 800-171 3.4.8
• CIS Controls v7.1 2.1, 2.2, 2.6, 2.7, 2.8, 2.9
• NIST CSF v1.1 PR.PT-3
• CERT RMM v1.2 TM:SG2.SP2
• NIST SP 800-53 Rev 4 CM-7(4), CM-7(5)