CCI-003272

Require the developer of the system, system component, or system service to reduce attack surfaces to organization-defined thresholds.

Implementation Guidance

The organization being inspected/assessed requires the developer to perform attack surface reduction activities to reduce risk to organizations by giving attackers less opportunity to exploit weaknesses or vulnerabilities. Attack surface reduction may include: 1. Testing and delivering the system with debug options off, or making the debug capabilities inaccessible to unauthorized users; 2. Applying the principle of least privilege; 3. Applying the principle of least functionality (i.e., restricting ports, protocols, functions, and services), deprecating unsafe functions, and eliminating application programming interfaces (APIs) that are vulnerable to cyber attacks; and 4. Employing layered defenses. 5. Using trusted physical delivery mechanisms that do not permit access to the element during delivery (ship via a protected carrier, use cleared/official couriers, or a diplomatic pouch); 6. Using trusted logical delivery of products and services (require downloading from approved, verification-enhanced sites); 7. Avoiding the purchase of custom configurations; 8. Using procurement carve outs (i.e., exclusions to commitments or obligations); 9. Using defensive design approaches; 10. Minimizing the time between purchase decisions and required delivery; 11. Employing a diverse set of suppliers; 12. Employing approved vendor lists with standing reputations in industry; 13. Diversifying and disperse how the product is acquired (e.g. Spot Markets); and 14. Employing inventory management policies and processes.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service reduce attack surfaces to thresholds defined in SA-15 (5), CCI 3273.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan requiring developers of the information system, system component or information system service to reduce attack surfaces to organization-defined thresholds.

The controls below (if any) were marked by NIST as being related to CCI-003272.