CMMC Practice CM.4.073
Employ application whitelisting and an application vetting process for systems identified by the organization.
Bold Coast Security Guidance
For Level 2 compliance, your policy must require that an approved software list is maintained, and that a careful and methodical practice is required to vet new software requested, prior to installation. For Level 3 compliance, a management plan must be in place to describe the specific procedures that direct personnel to perform the vetting process in a repeatable and auditable way.
At this maturity level we've developed the organizational intelligence to sustain a whitelisted environment. Like any capability, practice is required to develop maturity, and maturity equates to dependability.
When new software is required, it is moved quickly into the vetting process to understand how it will integrate in your unique environment. That includes understanding possible conflicts with existing applications, dependencies, and the best functional and security configuration for that application.
DRAFT NIST SP 800-171 R2 (MODIFIED)
The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting . The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting.
Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup. This practices requires the use of application whitelisting where feasible.
NIST SP 800-167 provides guidance on application whitelisting.