Navigate

CCI-001766

CCI-001766 Definition

The organization identifies the organization-defined software programs not authorized to execute on the information system.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must define and document software programs not authorized to execute on the information system. For network capable software, the organization-defined list must include all software programs as defined IAW DoDI 8551.01.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented list of software programs not authorized to execute to ensure that list is defined. The organization conducting the inspection/assessment reviews the list to ensure that any network capable software is included IAW DoDI 8551.01.

Compelling Evidence

1.) Disapproved software list

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001766.

Control	Description
CM-7 (4)	The organization: CM-7 (4)(a): Identifies [Assignment: organization-defined software programs not authorized to execute on the information system]; CM-7 (4)(b): Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and CM-7 (4)(c): Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].

Control

Description

CM-7 (4)

The organization:

CM-7 (4)(a): Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];

CM-7 (4)(b): Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and

CM-7 (4)(c): Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].