Navigate

CCI-001774

CCI-001774 Definition

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Determine if a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed.

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; list of software programs authorized to execute on the system; system component inventory; common secure configuration checklists; review and update records associated with list of authorized software programs; change control records; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for identifying software authorized to execute on the system; organizational personnel with information security responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational process for identifying, reviewing, and updating programs authorized to execute on the system; organizational process for implementing authorized software policy; mechanisms supporting and/or implementing authorized software policy].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001774.

Control	Description
CM-7(5)	(a): Identify [software programs authorized to execute on the system are defined;]; (b): Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c): Review and update the list of authorized software programs [frequency at which to review and update the list of authorized software programs is defined;].