CM.L2-3.4.7 Nonessential Functionality

CMMC Practice CM.L2-3.4.7 – Nonessential Functionality: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Links to Publicly Available Resources


Organizations should only use the minimum set of programs, services, ports, and protocols required for to accomplish the organization’s mission. This has several implications:

  • All unnecessary programs and accounts are removed from all endpoints and servers.
  • The organization makes a policy decision to control the execution of programs through either whitelisting or blacklisting. Whitelisting means a program can only run if the software has been vetted in some way, and the executable name has been entered onto a list of allowed software. Blacklisting means any software can execute as long it is not on a list of known malicious software. Whitelisting provides far more security than blacklisting, but the organization’s policy can direct the implementation of either approach. Control of execution applies to both servers and endpoints.
  • The organization restricts the use of all unnecessary ports, protocols, and system services in order to limit entry points that attackers can use. For example the use of the FTP service is eliminated from all computers, and the associated ports are blocked unless a required service utilizes those ports. The elimination of nonessential functionality on the network and systems provides a smaller attack surface for an attacker to gain access and take control of your network or systems.