Navigate

CM-7(5)

CM-7(5): Authorized Software / Whitelisting

The organization:

(a): Identifies [one of ];

(b): Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and

(c): Reviews and updates the list of authorized software programs [one of ].

Supplemental

The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-7(5).

Control	Description
CM-2	The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
CM-6	The organization: a: Establishes and documents configuration settings for information technology products employed within the information system using [one of ] that reflect the most restrictive mode consistent with operational requirements; b: Implements the configuration settings; c: Identifies, documents, and approves any deviations from established configuration settings for [one of ] based on [one of ]; and d: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CM-8	The organization: a: Develops and documents an inventory of information system components that: 1: Accurately reflects the current information system; 2: Includes all components within the authorization boundary of the information system; 3: Is at the level of granularity deemed necessary for tracking and reporting; and 4: Includes [one of ]; and b: Reviews and updates the information system component inventory [one of ].
PM-5	The organization develops and maintains an inventory of its information systems.
SA-10	The organization requires the developer of the information system, system component, or information system service to: a: Perform configuration management during system, component, or service [one or more of "design"/"development"/"implementation"/"operation"]; b: Document, manage, and control the integrity of changes to [one of ]; c: Implement only organization-approved changes to the system, component, or service; d: Document approved changes to the system, component, or service and the potential security impacts of such changes; and e: Track security flaws and flaw resolution within the system, component, or service and report findings to [one of ].
SC-34	The information system at [one of ]: a: Loads and executes the operating environment from hardware-enforced, read-only media; and b: Loads and executes [one of ] from hardware-enforced, read-only media.
SI-7	The organization employs integrity verification tools to detect unauthorized changes to [one of ].

Enhancements

The controls below (if any) add on to the requirements of CM-7(5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-7(5).

CCI	Definition
CCI-001772	Defines the software programs authorized to execute on the system.
CCI-001773	Identify the organization-defined software programs authorized to execute on the system.
CCI-001774	Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
CCI-001775	Defines the frequency on which the list of authorized software programs will be reviewed and updated.
CCI-001776	The organization defines the frequency on which it will update the list of authorized software programs.
CCI-001777	Review and update the list of authorized software programs per organization-defined frequency.
CCI-001778	The organization updates the list of authorized software programs per organization-defined frequency.