CMMC Practice RM.5.152: Utilize an exception process for non-whitelisted software that includes mitigation techniques.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
This practice defines and implements an explicit risk reduction process in the recognition that some software will be installed as an exception to the whitelist policy. Standard software packages that an organization trusts can easily be whitelisted based on risk and need for the organization. Once the whitelist is established, an organization needs to create a process that will allow software to be inspected and considered for operational use, even if only for a short period of time. If an operational need arises for a software package that adds too high of risk for the organization, the organization will need to decide if they will allow the software to run and under what circumstances. Mitigation strategies can be as extensive as only running software on a standalone system, or placing the software in a protected virtual machine with limited access to corporate assets. The list of acceptable mitigation strategies should be determined by the organization’s cyber professional. When a user requests the right to use software that is not whitelisted, the organization should use their documented exception process to determine whether or not they are going to allow non-standard software to be executed on endpoints. If the whitelist technology allows, an organization could associate exception software to a given asset on the enterprise. Another option could be placing the software inside a container and controlling what access it has on a system and on the enterprise.