CMMC Practice CM.2.063

Control and monitor user-installed software.


CMMC Version 1.02, pg. 114

Bold Coast Security Guidance

For Level 2 compliance, your policy must state that users are not permitted to install software without written approval, and that only IT Department staff are authorized to perform actual installations of approved software. It should also state that users are not permitted membership in the Local Administrators Security Group on their workstations. Additional policy statements may include that the environment will be monitored to ensure baseline configurations are in place as required, and that only approved software are discovered in scans of the environment. As a good general rule, end-users should not be permitted to install software on their own. IT Administrators should be the only personnel with permissions to install software. The organization should maintain a list of approved software, and when a request is received to install software not already on the approved list, a careful process should be engaged to ensure the requested software meets basic security standards. Is it from a reputable vendor? Are there any know security vulnerabilities that can be exploited by bad guys? Does the vendor update and patch its software as security vulnerabilities are discovered? Once permissions to install are in place, a program of regular periodic monitoring of what is actually installed on computer systems in your environment should be implemented. Periodic audits can be accomplished by automated means or by spot-checking systems manually. There are automated systems that will constantly monitor all systems in an environment, and send alerts to appropriate personnel if any non-standard software is detected. If such a system is not appropriate for an organization because of size, budget, or personnel restraints, then the manual process can suffice, if it is consistent and careful.

Discussion From Source

DRAFT NIST SP 800-171 R2 Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity . Policy enforcement methods include procedural methods, automated methods, or both.