CMMC Practice Number: CM.L2-3.4.6
CMMC Level: 2 CMMC Domain: Configuration Management (CM)
Practice Summary:
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] essential system capabilities are defined based on the principle of least functionality; and
[b] the system is configured to provide only the defined essential capabilities.
Practice Clarification (DOD, CMU)
You should customize organizational systems to remove non-essential applications and disable unnecessary services [a,b]. Systems come with many unnecessary applications and settings enabled by default including unused ports and protocols. Leave only the fewest capabilities necessary for the systems to operate effectively [a,b].
Example
You have ordered a new server, which has arrived with a number of free utilities installed in addition to the operating system. Before you deploy the server, you research the utilities to determine which ones can be eliminated without impacting functionality. You remove the unneeded software, then move on to disable unused ports and services. The server that enters production therefore has only the essential capabilities enabled for the system to function in its role [a,b].
Potential Assessment Considerations
• Are the roles and functions for each system identified along with the software and services required to perform those functions [a]?
• Are the software and services required for those defined functions identified [a]?
• Is the information system configured to exclude any function not needed in the operational environment [b]?
Where To Look
- Configuration management policy;
- configuration management plan;
- procedures addressing least functionality in the system;
- system security plan;
- system design documentation;
- system configuration settings and associated documentation;
- security configuration checklists;
- other relevant documents or records.
Who To Talk To
- Personnel with security configuration management responsibilities;
- personnel with information security responsibilities;
- system or network administrators.
Perform Test On
- Organizational processes prohibiting or restricting functions, ports, protocols, or services;
- mechanisms implementing restrictions or prohibition of functions, ports, protocols, or services.
Additional Information
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential company operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, companies should limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., VoIP, Instant Messaging, auto-execute, and file sharing).
The deployment of information system components with reduced/minimal functionality reduces the need to secure every user endpoint, and may reduce the exposure of information, information systems, and services to cyber-attacks. It is good practice to block ports or protocols that are not needed in the operational environment. For example, if you do not need or use VoIP, don’t allow it.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component.
Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end- point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.
CMMC References:
· NIST SP 800-171 Rev 1 3.4.6
· NIST CSF v1.1 PR.IP-1, PR.PT-3
· CERT RMM v1.2 TM:SG2.SP2
· NIST SP 800-53 Rev 4 CM-7
· UK NCSC Cyber Essentials