CMMC Practice CM.L2-3.4.9

Control and monitor user-installed software.

Bold Coast Security Guidance

As a good general rule, end-users should not be permitted to install software on their own. IT Administrators should be the only personnel with permissions to install software. The organization should maintain a list of approved software, and when a request is received to install software not already on the approved list, a careful process should be engaged to ensure the requested software meets basic security standards. Is it from a reputable vendor? Are there any know security vulnerabilities that can be exploited by bad guys? Does the vendor update and patch its software as security vulnerabilities are discovered? Once permissions to install are in place, a program of regular periodic monitoring of what is actually installed on computer systems in your environment should be implemented. Periodic audits can be accomplished by automated means or by spot-checking systems manually. There are automated systems that will constantly monitor all systems in an environment, and send alerts to appropriate personnel if any non-standard software is detected. If such a system is not appropriate for an organization because of size, budget, or personnel restraints, then the manual process can suffice, if it is consistent and careful.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity . Policy enforcement methods include procedural methods, automated methods, or both.

References