CMMC Practice CM.L2-3.4.7 – Nonessential Functionality: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. DoD Instruction 8551.01 Ports, Protocols, and Services Management (PPSM) standardizes procedures to catalog, regulate, and control the use and management of protocols in the Internet protocol suite, and associated ports (also known as protocols, data services, and associated ports or ports, protocols, and services); also referred to as PPS on DoD information networks (DODIN) including the connected information systems, platform information technology (IT) systems, platform IT (PIT), and products based on the potential that unregulated PPSM can damage DoD operations and interests and applies to all PPS used throughout planned, newly developed, acquired, and existing DODIN (whether used internal or external to the enclave), which include DoD Information Technology (IT). The purpose of this procedure is to facilitate the implementation of security control requirements for the Configuration Management control family, as identified in NIST SP 800-53. This link provides a list of ports, protocols, and/or services that Georgetown University blocks in support of their least functionality guideline. This link provides the definition of a network port and shows the reader how to find open and closed ports. This article from netwrix outlines open ports, discusses the risks of open ports, which open ports are safe, and ways to find open ports in your network. They also share tips for ensuring port security.
Discussion [NIST SP 800-171 R2]
Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.
Further Discussion
Organizations should only use the minimum set of programs, services, ports, and protocols required for to accomplish the organization’s mission. This has several implications:
- All unnecessary programs and accounts are removed from all endpoints and servers.
- The organization makes a policy decision to control the execution of programs through either whitelisting or blacklisting. Whitelisting means a program can only run if the software has been vetted in some way, and the executable name has been entered onto a list of allowed software. Blacklisting means any software can execute as long it is not on a list of known malicious software. Whitelisting provides far more security than blacklisting, but the organization’s policy can direct the implementation of either approach. Control of execution applies to both servers and endpoints.
- The organization restricts the use of all unnecessary ports, protocols, and system services in order to limit entry points that attackers can use. For example, the use of the FTP service is eliminated from all computers, and the associated ports are blocked unless a required service utilizes those ports. The elimination of nonessential functionality on the network and systems provides a smaller attack surface for an attacker to gain access and take control of your network or systems.
This practice, CM.L2-3.4.7, which requires limiting functionality to essential programs, ports, protocols, and services, extends CM.L2-3.4.6, which requires adherence to the principle of least functionality but does not specifically address which elements of a system should be limited.