N
|
controlCM-7

Least Functionality (CM-7)

Configure the system to provide only [organization-defined] ; and Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [organization-defined].

Security Baselines

LOWMODERATEHIGH
configurationbaselineschange-control

Why These Connect

Baselined In3

This control is included in the linked security baseline (LOW, MODERATE, or HIGH).

Supports31

These related controls work together — a change to one may affect the others.

Mitigates8

This control helps defend against or reduce the risk of the linked threat technique.

Enhances9

These enhancements add specific capabilities or refinements to the base control.

Related Controls(23)

AC-4Information Flow Enforcement (AC-4)
MH
AC-18Wireless Access (AC-18)
LMH
CM-6Configuration Settings (CM-6)
LMH
AC-3Access Enforcement (AC-3)
LMH
CM-2Baseline Configuration (CM-2)
LMH
CM-5Access Restrictions for Change (CM-5)
LMH
CM-11User-installed Software (CM-11)
LMH
RA-5Vulnerability Monitoring and Scanning (RA-5)
LMH
SA-4Acquisition Process (SA-4)
LMH
SA-5System Documentation (SA-5)
LMH
SA-8Security and Privacy Engineering Principles (SA-8)
LMH
SA-9External System Services (SA-9)
LMH
SA-15Development Process, Standards, and Tools (SA-15)
MH
SC-2Separation of System and User Functionality (SC-2)
MH
SC-3Security Function Isolation (SC-3)
H
SC-7Boundary Protection (SC-7)
LMH
SC-37Out-of-band Channels (SC-37)SI-4System Monitoring (SI-4)
LMH
CM-8System Component Inventory (CM-8)
LMH
CM-10Software Usage Restrictions (CM-10)
LMH
CM-14Signed Components (CM-14)SA-10Developer Configuration Management (SA-10)
MH
SI-7Software, Firmware, and Information Integrity (SI-7)
MH

Threat Coverage(8 ATT&CK techniques)

T1059Command and Scripting InterpreterT1047Windows Management InstrumentationT1547Boot or Logon Autostart ExecutionT1053Scheduled Task/JobT1548Abuse Elevation Control MechanismT1112Modify RegistryT1046Network Service DiscoveryT1021Remote Services

Control Enhancements(9)

CM-7(1)Periodic Review (CM-7(1))
MH
CM-7(2)Prevent Program Execution (CM-7(2))
MH
CM-7(3)Registration Compliance (CM-7(3))
CM-7(4)Unauthorized Software — Deny-by-exception (CM-7(4))
CM-7(5)Authorized Software — Allow-by-exception (CM-7(5))
MH
CM-7(6)Confined Environments with Limited Privileges (CM-7(6))
CM-7(7)Code Execution in Protected Environments (CM-7(7))
CM-7(8)Binary or Machine Executable Code (CM-7(8))
CM-7(9)Prohibiting The Use of Unauthorized Hardware (CM-7(9))

See Also

@SP 800-53 OverviewCompare Baselines