1. Home
  2. FedRAMP
  3. CM-7

BRACKETOLOGY | FEDRAMP

CM-7: LEAST FUNCTIONALITY

  • FedRAMP Baseline Membership CM-7:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Configures the information system to provide only essential capabilities; and
    • b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Configures the information system to provide only essential capabilities; and
  • b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: organization-defined prohibited or restricted functions, ports, protocols, and/or services — United States Government Configuration Baseline (USGCB).

FedRAMP GUIDANCE:

Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc Partially derived from AC-17 (8)

FedRAMP REQUIREMENT:

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. If no recognized USGCB is available for the technology in use, the CSP should create their own baseline and include a justification statement as to how they came up with the baseline configuration settings.

The organization:

  • a. Configures the information system to provide only essential capabilities; and
  • b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: organization-defined prohibited or restricted functions, ports, protocols, and/or services — United States Government Configuration Baseline (USGCB).

FedRAMP GUIDANCE:

Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc Partially derived from AC-17 (8)

FedRAMP REQUIREMENT:

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. If no recognized USGCB is available for the technology in use, the CSP should create their own baseline and include a justification statement as to how they came up with the baseline configuration settings.

The organization:

  • a. Configures the information system to provide only essential capabilities; and
  • b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: organization-defined prohibited or restricted functions, ports, protocols, and/or services — United States Government Configuration Baseline (USGCB).

FedRAMP GUIDANCE:

Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc Partially derived from AC-17 (8)

FedRAMP REQUIREMENT:

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. If no recognized USGCB is available for the technology in use, the CSP should create their own baseline and include a justification statement as to how they came up with the baseline configuration settings.

SUPPLEMENTAL GUIDANCE

Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

RELATED CONTROLS: CM-7

CONTROL ENHANCEMENTS

CM-7 (1) LEAST FUNCTIONALITY | PERIODIC REVIEW
  • FedRAMP Baseline Membership CM-7 (1):
  • MODERATE
  • HIGH

The organization:

    • (a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
    • (b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
  • (a) Review the information system at least Monthly to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
  • (b) Disable organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
  • (a) Review the information system at least Monthly to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
  • (b) Disable organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
  • (a) Review the information system at least Monthly to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
  • (b) Disable organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

Supplemental Guidance:

The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.

RELATED CONTROLS: CM-7 (1)

CM-7 (2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION
  • FedRAMP Baseline Membership CM-7 (2):
  • MODERATE
  • HIGH

The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The information system prevents program execution in accordance with [Selection (one or more): organization-defined policies regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage.

FedRAMP GUIDANCE:

This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e., white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

The information system prevents program execution in accordance with [Selection (one or more): organization-defined policies regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage.

FedRAMP GUIDANCE:

This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e., white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.


Supplemental Guidance: NONE

RELATED CONTROLS: CM-7 (2)

CM-7 (3) LEAST FUNCTIONALITY | REGISTRATION COMPLIANCE

The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].

Supplemental Guidance:

Organizations use the registration process to manage, track, and provide oversight for information systems and implemented functions, ports, protocols, and services.

CM-7 (4) LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE/BLACKLISTING

The organization:

    • (a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
    • (b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
    • (c) Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].

Supplemental Guidance:

The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution.

RELATED CONTROLS: CM-7 (4)

CM-7 (5) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE/WHITELISTING
  • FedRAMP Baseline Membership CM-7 (5):
  • MODERATE
  • HIGH

The organization:

    • (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
    • (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
    • (c) Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The information system prevents program execution in accordance with [Selection (one or more): organization-defined policies regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage.

FedRAMP GUIDANCE:

This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e., white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

The information system prevents program execution in accordance with [Selection (one or more): organization-defined policies regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage.

FedRAMP GUIDANCE:

This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e., white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.


Supplemental Guidance:

The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup.

RELATED CONTROLS: CM-7 (5)

REFERENCES:

  • DoD Instruction 8551.01