DoD Instruction 8551.01 – Ports, Protocols, and Services Management (PPSM)
3.4 3.4.7 Configuration Management
https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/855101p.pdf
DoD Instruction 8551.01 Ports, Protocols, and Services Management (PPSM) standardizes procedures to catalog, regulate, and control the use and management of protocols in the Internet protocol suite, and associated ports (also known as protocols, data services, and associated ports or ports, protocols, and services); also referred to as PPS on DoD information networks (DODIN) including the connected information systems, platform information technology (IT) systems, platform IT (PIT), and products based on the potential that unregulated PPSM can damage DoD operations and interests and applies to all PPS used throughout planned, newly developed, acquired, and existing DODIN (whether used internal or external to the enclave), which include DoD Information Technology (IT).
Georgetown University – Restricted List of Ports, Protocols, and/or Services
3.4 3.4.7 Configuration Management
https://security.georgetown.edu/config-mgt-policy/least-functionality-guidelines/restricted_ports/#
This link provides a list of ports, protocols, and/or services that Georgetown University blocks in support of their least functionality guideline.
https://helpdeskgeek.com/determine-open-and-blocked-ports/
This link provides the definition of a network port and shows the reader how to find open and closed ports.
netwrix – How Insecure and Vulnerable Open Ports Pose Serious Security Risks
3.4 3.4.7 Configuration Management
https://netwrix.com/en/resources/blog/open-ports-vulnerability-list//
This article from netwrix outlines the most vulnerable ports and critical security strategies for protecting against them.
NIST SP 800-53: CM-7 Least Functionality
3.4 3.4.7 3.4.8
https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_1/home?element=CM-07
NIST resource that defines requirements for configuring information systems to provide only essential capabilities such as restricting / blacklisting software.
Wright Brained – CMMC Practice 3.4.7 – Ports, Protocols, Programs Functions, and Services
3.4 3.4.7 Configuration Management
https://wrightbrainedsecurity.com/cmmc-practice-3-4-7-ports-protocols-programs-functions-and-services/
Most companies don’t struggle with implementing this practice—they struggle with the documentation. When it’s time to show evidence, things can get messy. You need to define exactly what’s “essential” and “nonessential” and provide proof that you’ve applied these definitions consistently across your systems.
