CMMC Practice CM.L2-3.4.9 – User-Installed Software: Control and monitor user-installed software.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This article from Microsoft, describes how administrators can configure Windows 10 to prevent users from installing software. The purpose of this publication is to assist organizations in understanding the basics of application whitelisting and planning for its implementation. This sample policy from SANS, can be used to outline the requirements around installation of software on an organizations devices.
Discussion [NIST SP 800-171 R2]
Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.
Further Discussion
Software that users have the ability to install is limited to items that the organization approves. When not controlled, users could install software that can create unnecessary risk. This risk applies both to the individual machine and to the larger operating environment. Policies and technical controls reduce risk to the organization by preventing users from installing unauthorized software.