Navigate

CM-7 (5)

CM-7 (5): Authorized Software / Whitelisting

The organization:

CM-7 (5)(a): Identifies [Assignment: organization-defined software programs authorized to execute on the information system];

CM-7 (5)(b): Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and

CM-7 (5)(c): Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency].

Supplemental

The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-7 (5).

Control	Description
CM-2	The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
CM-6	The organization: CM-6a.: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; CM-6b.: Implements the configuration settings; CM-6c.: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and CM-6d.: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CM-8	The organization: CM-8a.: Develops and documents an inventory of information system components that: CM-8a.1.: Accurately reflects the current information system; CM-8a.2.: Includes all components within the authorization boundary of the information system; CM-8a.3.: Is at the level of granularity deemed necessary for tracking and reporting; and CM-8a.4.: Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and CM-8b.: Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
PM-5	The organization develops and maintains an inventory of its information systems.
SA-10	The organization requires the developer of the information system, system component, or information system service to: SA-10a.: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; SA-10b.: Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; SA-10c.: Implement only organization-approved changes to the system, component, or service; SA-10d.: Document approved changes to the system, component, or service and the potential security impacts of such changes; and SA-10e.: Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
SC-34	The information system at [Assignment: organization-defined information system components]: SC-34a.: Loads and executes the operating environment from hardware-enforced, read-only media; and SC-34b.: Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media.
SI-7	The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

Enhancements

The controls below (if any) add on to the requirements of CM-7 (5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-7 (5).

CCI	Definition
CCI-001772	The organization defines the software programs authorized to execute on the information system.
CCI-001773	The organization identifies the organization-defined software programs authorized to execute on the information system.
CCI-001774	The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system.
CCI-001775	The organization defines the frequency on which it will review and update the list of authorized software programs.
CCI-001776	The organization defines the frequency on which it will update the list of authorized software programs.
CCI-001777	The organization reviews and updates the list of authorized software programs per organization-defined frequency.
CCI-001778	The organization updates the list of authorized software programs per organization-defined frequency.