CMMC Requirement CM.L2-3.4.7 – Nonessential Functionality: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
The following provides a sample mapping between the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CMMC 2.0 Level 2 controls. A CMMC 2.0 Level 2 control can be related to multiple Config rules. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. DoD Instruction 8551.01 Ports, Protocols, and Services Management (PPSM) standardizes procedures to catalog, regulate, and control the use and management of protocols in the Internet protocol suite, and associated ports (also known as protocols, data services, and associated ports or ports, protocols, and services); also referred to as PPS on DoD information networks (DODIN) including the connected information systems, platform information technology (IT) systems, platform IT (PIT), and products based on the potential that unregulated PPSM can damage DoD operations and interests and applies to all PPS used throughout planned, newly developed, acquired, and existing DODIN (whether used internal or external to the enclave), which include DoD Information Technology (IT). This link provides a list of ports, protocols, and/or services that Georgetown University blocks in support of their least functionality guideline. This link provides the definition of a network port and shows the reader how to find open and closed ports. Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This article from netwrix outlines the most vulnerable ports and critical security strategies for protecting against them. Most companies don’t struggle with implementing this practice—they struggle with the documentation. When it’s time to show evidence, things can get messy. You need to define exactly what’s “essential” and “nonessential” and provide proof that you’ve applied these definitions consistently across your systems.
Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.
Further Discussion
Organizations should only use the minimum set of programs, services, ports, and protocols required for to accomplish the organization’s mission. This has several implications:
- All unnecessary programs and accounts are removed from all endpoints and servers.
- The organization makes a policy decision to control the execution of programs through either whitelisting or blacklisting. Whitelisting means a program can only run if the software has been vetted in some way, and the executable name has been entered onto a list of allowed software. Blacklisting means any software can execute as long it is not on a list of known malicious software. Whitelisting provides far more security than blacklisting, but the organization’s policy can direct the implementation of either approach. Control of execution applies to both servers and endpoints.
- The organization restricts the use of all unnecessary ports, protocols, and system services in order to limit entry points that attackers can use. For example, the use of the FTP service is eliminated from all computers, and the associated ports are blocked unless a required service utilizes those ports. The elimination of nonessential functionality on the network and systems provides a smaller attack surface for an attacker to gain access and take control of your network or systems.
This requirement, CM.L2-3.4.7, which requires limiting functionality to essential programs, ports, protocols, and services, extends CM.L2-3.4.6, which requires adherence to the principle of least functionality but does not specifically address which elements of a system should be limited.