BRACKETOLOGY | FEDRAMP
CM-11: USER-INSTALLED SOFTWARE
-
FedRAMP Baseline Membership CM-11:
- LOW
- MODERATE
- HIGH
FedRAMP Bracketology
Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH
Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.
Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.
To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open
Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.
The organization:
- a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
- b. Enforces software installation policies through [Assignment: organization-defined methods]; and
- c. Monitors policy compliance at [Assignment: organization-defined frequency].
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
- a. Establishes organization-defined policies governing the installation of software by users;
- b. Enforces software installation policies through organization-defined methods; and
- c. Monitors policy compliance at Continuously (via CM-7 (5).
- a. Establishes organization-defined policies governing the installation of software by users;
- b. Enforces software installation policies through organization-defined methods; and
- c. Monitors policy compliance at Continuously (via CM-7 (5).
- a. Establishes organization-defined policies governing the installation of software by users;
- b. Enforces software installation policies through organization-defined methods; and
- c. Monitors policy compliance at Continuously (via CM-7 (5).
SUPPLEMENTAL GUIDANCE
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved "app stores." Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.
RELATED CONTROLS: CM-11
CONTROL ENHANCEMENTS
CM-11 (1) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS
The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected.
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.
There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.
There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.
Supplemental Guidance: NONE
RELATED CONTROLS: CM-11 (1)
CM-11 (2) USER-INSTALLED SOFTWARE | PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS
The information system prohibits user installation of software without explicit privileged status.
Supplemental Guidance:
Privileged status can be obtained, for example, by serving in the role of system administrator.
RELATED CONTROLS: CM-11 (2)
REFERENCES:
- NO REFERENCES