Navigate

CM-7 (1)

CM-7 (1): Periodic Review

The organization:

CM-7 (1)(a): Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and

CM-7 (1)(b): Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].

Supplemental

The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-7 (1).

Control	Description
AC-18	The organization: AC-18a.: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and AC-18b.: Authorizes wireless access to the information system prior to allowing such connections.
CM-7	The organization: CM-7a.: Configures the information system to provide only essential capabilities; and CM-7b.: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
IA-2	The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Enhancements

The controls below (if any) add on to the requirements of CM-7 (1).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-7 (1).

CCI	Definition
CCI-000384	The organization reviews the information system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, and services.
CCI-001760	The organization defines the frequency of information system reviews to identify unnecessary and/or nonsecure functions, ports, protocols, and services.
CCI-001761	The organization defines the functions, ports, protocols, and services within the information system that are to be disabled when deemed unnecessary and/or nonsecure.
CCI-001762	The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.