• Requirement

    1. Identify [Assignment: organization-defined software programs authorized to execute on the system];
    2. Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and
    3. Review and update the list of authorized software programs [Assignment: organization-defined frequency].
  • Discussion

    Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in CA-3(5) and SC-7.

More Info

  • Title

    Least Functionality | Authorized Software — Allow-by-exception
  • Family

    Configuration Management
  • NIST 800-53B Baseline(s)

    • Moderate
    • High
  • Related NIST 800-53 ID


NIST 800-53A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!