Navigate

CM-7 (4)

CM-7 (4): Unauthorized Software / Blacklisting

The organization:

CM-7 (4)(a): Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];

CM-7 (4)(b): Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and

CM-7 (4)(c): Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].

Supplemental

The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-7 (4).

Control	Description
CM-6	The organization: CM-6a.: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; CM-6b.: Implements the configuration settings; CM-6c.: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and CM-6d.: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CM-8	The organization: CM-8a.: Develops and documents an inventory of information system components that: CM-8a.1.: Accurately reflects the current information system; CM-8a.2.: Includes all components within the authorization boundary of the information system; CM-8a.3.: Is at the level of granularity deemed necessary for tracking and reporting; and CM-8a.4.: Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and CM-8b.: Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
PM-5	The organization develops and maintains an inventory of its information systems.

Enhancements

The controls below (if any) add on to the requirements of CM-7 (4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-7 (4).

CCI	Definition
CCI-001765	The organization defines the software programs not authorized to execute on the information system.
CCI-001766	The organization identifies the organization-defined software programs not authorized to execute on the information system.
CCI-001767	The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system.
CCI-001768	The organization defines the frequency on which it will review and update the list of unauthorized software programs.
CCI-001769	The organization defines the frequency on which it will update the list of unauthorized software programs.
CCI-001770	The organization reviews and updates the list of unauthorized software programs per organization-defined frequency.
CCI-001771	The organization updates the list of unauthorized software programs per organization-defined frequency.