CMMC Practice CM.2.062

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.


CMMC Version 1.02, pg. 113

Bold Coast Security Guidance

for Level 2 compliance, your policy must state that the principle of "least functionality" is employed in system configuration baselines. It might also state that where feasible, servers will be deployed as "single function", meaning each server performs only one main function in the organization. A key concept in security is "least functionality" to accomplish the purpose a system is deployed to accomplish, and no more. What that means is we want our computers and devices to be built / configured to perform only those functions that enable them to do the job we need them to do. Allowing systems to be configured to do things we don't need presents a security risk. The bigger the "attack surface" the easier it is for hackers to find a way to compromise our IT systems.

Discussion From Source

DRAFT NIST SP 800-171 R2 Systems can provide a wide variety of functions and services . Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations . It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host- based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.