Navigate

CCI-001772

CCI-001772 Definition

The organization defines the software programs authorized to execute on the information system.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must define and document software programs that are authorized to execute on the information system. DoD has determined that a comprehensive list of unauthorized software programs is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented list of software programs that are authorized to execute to ensure that list is defined. DoD has determined that a comprehensive list of unauthorized software programs is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) Approved software list 2.) Rules for approval of software program usage

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001772.

Control	Description
CM-7 (5)	The organization: CM-7 (5)(a): Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; CM-7 (5)(b): Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and CM-7 (5)(c): Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency].

Control

Description

CM-7 (5)

The organization:

CM-7 (5)(a): Identifies [Assignment: organization-defined software programs authorized to execute on the information system];

CM-7 (5)(b): Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and

CM-7 (5)(c): Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency].