Navigate

CCI-000384

CCI-000384 Definition

The organization reviews the information system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, and services.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to review the information system every 30 days to identify unnecessary and nonsecure functions, ports, protocols, and services. The organization must maintain an audit trail of the reviews. DoD has defined the frequency as every 30 days.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process and audit trail of reviews to ensure the organization being inspected/assessed reviews the information system every 30 days to identify unnecessary and nonsecure functions, ports, protocols, and services. DoD has defined the frequency as every 30 days.

Compelling Evidence

1.) Approved ports, protocols, and/or services list 2.) Audit trail of ports, protocols, and/or services scan and/or review

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000384.

Control	Description
CM-7 (1)	The organization: CM-7 (1)(a): Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and CM-7 (1)(b): Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].