Level 5 CMMC - CMMC Practices

CM.4.073  

Reference: CMMC 1.02

Family: CM

Level Introduced: 4

Practice:
Employ application whitelisting and an application vetting process for systems identified by the organization.

CMMC Clarification:
The organization has a procedure to validate systems used for processing CUI information and to identify the applications required for CUI processing. The procedure includes the steps a new application must go through to check it is not malicious and there is a business requirement for the application before it is added to the whitelist. The organization has configured their systems (e.g., desktop, laptop, tablet) to check an application has been approved for use (whitelisted) before the application can run. All unapproved applications are, by default blocked from running on the organization’s systems. See practice RM.5.152 for more information on handling non-whitelisted software.

Example 1
You are responsible for system security at your organization. An employee asks you to approve a data visualization application they want to use to develop charts in their final report to the sponsor. After you confirm with the project manager that the application is required, you run a script to calculate the MD5 hash value for the executable and submit it to virustotal.com for validation. After confirming the application is safe you add the application to the whitelist.

Example 2
You are responsible for system security at your organization. An employee asks you to whitelist an application found through an Internet search. You download a copy of the file and submit it to virustotal.com. You determine that it is malicious. You delete all copies of the application from all of your organizations’s computers and do not add it to the organization’s whitelist.

3.4.8

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

Discussion:
The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup.

[SP 800-167] provides guidance on application whitelisting.

Source: NIST Special Publication 800-171 Rev. 2

CM-7 (4)

LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE / BLACKLISTING

Description:
The organization:
    (a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
    (b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
    (c) Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].

Supplemental Guidance:
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5.

CM-7 (5)

LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE / WHITELISTING

Description:
The organization:
    (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
    (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
    (c) Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency].

Supplemental Guidance:
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02