NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
Control Family: Configuration Management
Control Type: Derived
SPRS Value: 5
SPRS Supplemental Guidance:
N/A
CMMC Level(s):
CM.L2-3.4.7
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
CM-7(1)
CM-7(2)
NIST Supplemental Guidance:
N/A
Discussion:
Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.
Upon assessment, assessors must determine if-
3.4.7[a] essential programs are defined.
3.4.7[b] the use of nonessential programs is defined.
3.4.7[c] the use of nonessential programs is restricted, disabled, or prevented as
defined.
3.4.7[d] essential functions are defined.
3.4.7[e] the use of nonessential functions is defined.
3.4.7[f] the use of nonessential functions is restricted, disabled, or prevented as
defined.
3.4.7[g] essential ports are defined.
3.4.7[h] the use of nonessential ports is defined.
3.4.7[i] the use of nonessential ports is restricted, disabled, or prevented as defined.
3.4.7[j] essential protocols are defined.
3.4.7[k] the use of nonessential protocols is defined.
3.4.7[l] the use of nonessential protocols is restricted, disabled, or prevented as
defined.
3.4.7[m] essential services are defined.
3.4.7[n] the use of nonessential services is defined.
3.4.7[o] the use of nonessential services is restricted, disabled, or prevented as defined.
Assessors are instructed to-
Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system security plan; system design documentation; security configuration checklists; system configuration settings and associated documentation; specifications for preventing software program execution; documented reviews of programs, functions, ports, protocols, and/or services; change control records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for reviewing programs, functions, ports, protocols, and services on the system; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Organizational processes for reviewing and disabling nonessential programs, functions, ports, protocols, or services; mechanisms implementing review and handling of nonessential programs, functions, ports, protocols, or services; organizational processes preventing program execution on the system; organizational processes for software program usage and restrictions; mechanisms supporting or implementing software program usage and restrictions; mechanisms preventing program execution on the system].