Level 5 CMMC - CMMC Practices

CM.2.062  

Reference: CMMC 1.02

Family: CM

Level Introduced: 2

Practice:
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

CMMC Clarification:
You should customize organizational systems. To do this, remove non-essential applications and disable services not needed. Systems come with many unnecessary applications and settings enabled by default. Disable unnecessary software and services. These include unused ports and protocols. Leave only the fewest capabilities necessary for the systems to operate effectively.

Example
You know that systems often include unnecessary software and services enabled by default. You deploy new servers in your organization’s IT environment. Before you do so, you review each system’s role and minimum required capabilities. You remove software that is not needed. You disable unused ports and services. You leave only the essential capabilities enabled for the system to function in its role.

3.4.6

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

Discussion:
Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component.

Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

Source: NIST Special Publication 800-171 Rev. 2

CM-7

LEAST FUNCTIONALITY

Description:
The organization:
    a. Configures the information system to provide only essential capabilities; and
    b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].

Supplemental Guidance:
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02