Reference: CMMC v2.13
Family: CM
Level Introduced: 2
Title: Least Functionality
Practice:
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
Further Discussion:
You should customize organizational systems to remove non-essential applications and disable unnecessary services. Systems come with many unnecessary applications and settings enabled by default including unused ports and protocols. Leave only the fewest capabilities necessary for the systems to operate effectively.
Example
You have ordered a new server, which has arrived with a number of free utilities installed in addition to the operating system. Before you deploy the server, you research the utilities to determine which ones can be eliminated without impacting functionality. You remove the unneeded software, then move on to disable unused ports and services. The server that enters production therefore has only the essential capabilities enabled for the system to function in its role [a,b].
Potential Assessment Considerations
• Are the roles and functions for each system identified along with the software and services required to perform those functions [a]?
• Are the software and services required for those defined functions identified [a]?
• Is the information system configured to exclude any function not needed in the operational environment [b]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.