CCI-000382

Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.

Implementation Guidance

Determine if: - the use of [CM-07_ODP[02]; functions to be prohibited or restricted are defined] is prohibited or restricted. - the use of [CM-07_ODP[03]; ports to be prohibited or restricted are defined] is prohibited or restricted. - the use of [CM-07_ODP[04]; protocols to be prohibited or restricted are defined] is prohibited or restricted. - the use of [CM-07_ODP[05]; software to be prohibited or restricted is defined] is prohibited or restricted. - the use of [CM-07_ODP[06]; services to be prohibited or restricted are defined] is prohibited or restricted.

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; system component inventory; common secure configuration checklists; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with security configuration management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. Test: [SELECT FROM: Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services; mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services].

The controls below (if any) were marked by NIST as being related to CCI-000382.