Navigate

CM-7(1)

CM-7(1): Periodic Review

The organization:

(a): Reviews the information system [one of ] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and

(b): Disables [one of ].

Supplemental

The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-7(1).

Control	Description
AC-18	The organization: a: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b: Authorizes wireless access to the information system prior to allowing such connections.
CM-7	The organization: a: Configures the information system to provide only essential capabilities; and b: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [one of ].
IA-2	The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Enhancements

The controls below (if any) add on to the requirements of CM-7(1).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-7(1).

CCI	Definition
CCI-000384	Review the system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, software, and services.
CCI-001760	Defines the frequency of system reviews to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services.
CCI-001761	Defines the functions, ports, protocols, software, and services within the information system that are to be disabled or removed when deemed unnecessary and/or nonsecure.
CCI-001762	Disable or remove organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure.