Reference: CMMC 2.0
Family: CM
Level Introduced: 2
Title: Application Execution Policy
Practice:
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny- all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
CMMC Clarification:
Organizations should determine their blacklisting or whitelisting policy and configure the system to manage software that is allowed to run. Blacklisting or deny-by-exception allows all software to run except if on an unauthorized software list. Whitelisting or permit-by- exception does not allow any software to run except if on an authorized software list. The
stronger policy of the two is whitelisting.
Example
You are in charge of managing the IT infrastructure within your organization. To provide better protection for your company you have decided to take a whitelist approach. With additional research you identify a capability within the latest operating system that can control executables, scripts, libraries, or application installers run in your environment. To ensure success you begin by authorizing digitally signed executables. Once deployed you then plan to evaluate and deploy whitelisting for software libraries and scripts.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (2)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.