>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CM.L2-3.4.7Nonessential Functionality

Level 2
800-171: 3.4.7

>Control Description

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

>Cross-Framework Mappings

NIST SP 800-171

3.4.7
Compare

SCF

CFG-03.1
Compare
CFG-03.2
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • How do you identify nonessential programs, functions, ports, protocols, and services?
  • What is your policy for restricting or disabling nonessential functionality?
  • Who approves lists of allowed versus prohibited functionality?
  • How often do you review systems to identify and remove nonessential functionality?

Technical Implementation:

  • What technical methods disable nonessential functions (firewall rules, service disablement)?
  • How do you block unnecessary ports and protocols?
  • What tools identify and remove unnecessary programs?
  • How do you restrict which services can run?
  • What scanning verifies nonessential items are disabled?

Evidence & Documentation:

  • What baseline configuration documentation can you provide?
  • What configuration management plan describes your CM processes?
  • What change request records and approvals can you show?
  • What configuration scanning reports show compliance with baselines?
  • What asset inventory documentation lists all system components?
  • What security configuration benchmarks are applied to systems?
  • What evidence shows configuration changes are tracked and logged?

Ask AI

Configure your API key to use AI features.