CCI-000384

Review the system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, software, and services.

Implementation Guidance

Determine if the system is reviewed [CM-07(01)_ODP[01]; the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined] to identify unnecessary and/or non-secure functions, ports, protocols, software, and services.

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; common secure configuration checklists; documented reviews of functions, ports, protocols, and/or services; change control records; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system; organizational personnel with information security responsibilities; system/network administrators; system developers]. Test: [SELECT FROM: Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system; mechanisms implementing review and disabling of functions, ports, protocols, and/or services].

The controls below (if any) were marked by NIST as being related to CCI-000384.