CMMC Practice CM.4.073: Employ application whitelisting and an application vetting process for systems identified by the organization.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
The organization has a procedure to validate systems used for processing CUI information and to identify the applications required for CUI processing. The procedure includes the steps a new application must go through to check it is not malicious and there is a business requirement for the application before it is added to the whitelist. The organization has configured their systems (e.g., desktop, laptop, tablet) to check an application has been approved for use (whitelisted) before the application can run. All unapproved applications are, by default blocked from running on the organization’s systems. See practice RM.5.152 for more information on handling non-whitelisted software.