home || catalog: SP800-53rev3 / class: Operational / family: (CM) Configuration Management ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM

CM-01
CM-02
CM-03
CM-04
CM-05
CM-06
CM-07 *
CM-08
CM-09

CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CM-07: Least Functionality  

base control objective:
The organization configures the information system to provide only essential capabilities and specifically prohibits and/or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited and/or restricted functions, ports, protocols, and/or services].

supplemental objective information:
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from a single component of an information system, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email server or web server, not both). The functions and services provided by organizational information systems, or individual components of information systems, are carefully reviewed to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, file sharing). Organizations consider disabling unused or unnecessary physical and logical ports and protocols (e.g., Universal Serial Bus [USB], File Transfer Protocol [FTP], Internet Protocol Version 6 [IPv6], Hyper Text Transfer Protocol [HTTP]) on information system components to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

enhancements to the base objective:

(1) The organization reviews the information system [Assignment: organization-defined frequency], to identify and eliminate unnecessary functions, ports, protocols, and/or services.

(2) The organization employs automated mechanisms to prevent program execution in accordance with [Selection (one or more): list of authorized software programs; list of unauthorized software programs; rules authorizing the terms an conditions of software program usage].

(3) The organization ensures compliance with [Assignment: organization-defined registration requirements for ports, protocols, and services].
Enhancement Supplemental Guidance: Organizations use the registration process to manage, track, and provide oversight for information systems and implemented functionality.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1)     HIGH: base (1) (2)  

related (regimented) controls:

RA-05   Vulnerability Scanning

documents referenced in SP800-53rev3 for CM-07:

Document Date Status Title
NIST SP800-81 August, 2010 current   Secure Domain Name System (DNS) Deployment Guide
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling

Search SP800-53rev3 catalog: