CCI-003953

Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of organization-defined personnel or roles when such code is without the provision of source code.

Implementation Guidance

Determine if the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of [CM-07(07)_ODP; personnel or roles to explicitly approve execution of binary or machine-executable code is/are defined].

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; list or record of binary or machine-executable code; system component inventory; common secure configuration checklists; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for approving execution of binary or machine-executable code; organizational personnel with information security responsibilities; organizational personnel with software management responsibilities; system/network administrators; system developers]. Test: [SELECT FROM: Organizational process for approving execution of binary or machine-executable code; organizational process for confining binary or machine-executable code to physical or virtual machine environments; mechanisms supporting and/or implementing the confinement of binary or machine-executable code to physical or virtual machine environments].

The controls below (if any) were marked by NIST as being related to CCI-003953.