Navigate

CM-7(4)

CM-7(4): Unauthorized Software — Deny-by-exception

(a): Identify [software programs not authorized to execute on the system are defined;];

(b): Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and

(c): Review and update the list of unauthorized software programs [frequency at which to review and update the list of unauthorized software programs is defined;].

Supplemental

Unauthorized software programs can be limited to specific versions or from a specific source. The concept of prohibiting the execution of unauthorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
CDS - Access, CDS - Multilevel, CDS - Transfer, DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-7(4).

Control	Description
CM-6	a: Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [common secure configurations to establish and document configuration settings for components employed within the system are defined;]; b: Implement the configuration settings; c: Identify, document, and approve any deviations from established configuration settings for [system components for which approval of deviations is needed are defined;] based on [operational requirements necessitating approval of deviations are defined;] ; and d: Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
CM-8	a: Develop and document an inventory of system components that: 1: Accurately reflects the system; 2: Includes all components within the system; 3: Does not include duplicate accounting of components or components assigned to any other system; 4: Is at the level of granularity deemed necessary for tracking and reporting; and 5: Includes the following information to achieve system component accountability: [information deemed necessary to achieve effective system component accountability is defined;] ; and b: Review and update the system component inventory [frequency at which to review and update the system component inventory is defined;].
CM-10	a: Use software and associated documentation in accordance with contract agreements and copyright laws; b: Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c: Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
PL-9	Centrally manage [security and privacy controls and related processes to be centrally managed are defined;].
PM-5	Develop and update [the frequency at which to update the inventory of organizational systems is defined;] an inventory of organizational systems.

Enhancements

The controls below (if any) add on to the requirements of CM-7(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-7(4).

CCI	Definition
CCI-001765	Defines the software programs not authorized to execute on the system.
CCI-001766	Identify the organization-defined software programs not authorized to execute on the system.
CCI-001767	Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system.
CCI-001768	Defines the frequency on which the list of unauthorized software programs will be reviewed and updated.
CCI-001770	Review and update the list of unauthorized software programs per organization-defined frequency.