CMMC Practice RM.5.152

Utilize an exception process for non-whitelisted software that includes mitigation techniques.

Source

CMMC Version 1.02, pg. 219

Bold Coast Security Guidance

An exception process means you have a policy that is enforced, except when certain conditions are met. When those conditions are met, a policy exception must be created in a formal document. It's important to track exceptions, because a changing environment means some exceptions will no longer apply if a policy changes due to a change in the IT environment. For Level 5 compliance an organization must apply the programmatic intelligence across all departments.

Discussion From Source

CMMC Whitelist technologies allow an organization to lock-down their environment in such a way that only allowed software will be able to run on end point and server systems. If a program is not listed on the whitelist, then it is not authorized to run on a given system. While this may help keep organizations secure, it is not realistic to expect a stringent whitelist will meet all of the software needs . Most organizations of any size will need to create a process for expanding the whitelist quickly, or create an exception process that will allow individuals to get permission to run software that is needed for their job, but the organization does not want to globally accept that software running on all endpoints. While whitelist technologies provide a method for organizations to choose which software packages can run in the overall enterprise, they require an organization to understand that some of the users will require software outside of the whitelist (non-whitelist) to be approved for use. A mature organization should have a procedure in place for determining what software is placed on the whitelist for the organization. At the same time, the organization should have a procedure for determining how software may run through an exception process . The exception process will determine what software needs to be authorized that is not within the whitelist. Part of this exception process may be a mitigation strategy, such as placing a given machine in a quarantine zone while it is using the software that is not whitelisted. Carefully controlling what software is authorized (whitelist) is a huge benefit to an organization, but this approach may require whitelist exceptions from time to time based on project and user needs . Having a well -defined process and documenting all steps for determining exceptions are key for demonstrating the maturity of the organization when determining what is safe and not safe to run on the enterprise environment. An organization also needs to understand that each additional software package authorized to run on their environment adds a level of risk to the organization’s enterprise.

References