CMMC Practice CM.3.068

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.


CMMC Version 1.02, pg. 121

Bold Coast Security Guidance

For Level 2 compliance, your policy must state that as part of required system configuration and security baselines is the requirement to disable unnecessary programs, functions, ports, protocols, and services. For Level 3 compliance, a management plan must also be enacted to ensure this policy requirement is accomplished, measured for effectiveness, and reported to organizational stakeholders. We previously mentioned minimizing the "attack surface" available to hackers, and that's what this capability provides. We have bedrock concepts in information security related to "least functionality" and "least privilege". These two fundamentals are about the same goal: Allow only enough access and functionality to achieve the business purpose, and no more. The security implications of doing this well are measurable. The less you have to support, the less you'll spend on support. That's why your baseline system configuration and hardening procedures should include disabling / deleting any programs, functions, ports, protocols, and services that are not required to meeting business requirements for each system and device type.

Discussion From Source

DRAFT NIST SP 800-171 R2 Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, FTP, and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.