CM-07.4 · Unauthorized Software — Deny-by-exception

Control Description

Identify {{ insert: param, cm-07.04_odp.01 }}; Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and Review and update the list of unauthorized software programs {{ insert: param, cm-07.04_odp.02 }}.

Impact Baselines
Security baselines where this control applies
Not in any baseline
Control Properties
SP800-53-enhancement
organization
Enhancement
Control Statement
The control requirements

(a) Identify {{ insert: param, cm-07.04_odp.01 }};

(b) Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and

(c) Review and update the list of unauthorized software programs {{ insert: param, cm-07.04_odp.02 }}.

Supplemental Guidance

Unauthorized software programs can be limited to specific versions or from a specific source. The concept of prohibiting the execution of unauthorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses.

Related NIST Controls
Other NIST 800-53 controls related to this one
CM-06
CM-08
CM-10
PL-09
PM-05