CM-7 (4) Least Functionality | Unauthorized Software / Blacklisting
The organization:
CM-7 (4)(a): Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
CM-7 (4)(b): Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
CM-7 (4)(c): Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].
Applicable CNSSI 1253 Baselines
Confidentiality
- L
- M
- H
Integrity
- L
- M
- H
Availability
- L
- M
- H
Supplemental Guidance
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution.