Level 5 CMMC - CMMC Practices

CM.2.063  

Reference: CMMC 1.02

Family: CM

Level Introduced: 2

Practice:
Control and monitor user-installed software.

CMMC Clarification:
You should limit installed software to items that the organization approved. Users will install software that creates unnecessary risk. This risk applies both to the machine and to the larger operating environment. You should control the software users can install. You should put in place policies and technical controls that can reduce risk to the organization.

Example
You are the IT administrator for your company. A user calls you for help installing a software package. He keeps receiving a message asking for a password. The user receives the message because he does not have permission to install the software. You explain the organization’s policy. It prohibits users from installing software without approval. When you set up workstations for users, you do not provide administrative privileges. You make an exception only if a user needs administrative access to do his job. After the call, you redistribute the policy to all users ensuring everyone in the organization is aware of the restrictions.

3.4.9

Control and monitor user-installed software.

Discussion:
Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.

Source: NIST Special Publication 800-171 Rev. 2

CM-11

USER-INSTALLED SOFTWARE

Description:
The organization:
    a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
    b. Enforces software installation policies through [Assignment: organization-defined methods]; and
    c. Monitors policy compliance at [Assignment: organization-defined frequency].

Supplemental Guidance:
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02