CM.L2-3.4.8—Application Execution Policy
Level 2
800-171: 3.4.8
>Control Description
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy for application execution control (whitelisting vs blacklisting)?
- •How do you determine which approach to use for different systems?
- •Who is responsible for maintaining authorized/unauthorized software lists?
- •What is your process for reviewing and approving software execution requests?
- •How do you handle exceptions to application execution policies?
Technical Implementation:
- •What application control technologies do you use (AppLocker, SELinux)?
- •How do you technically implement whitelisting or blacklisting?
- •What mechanisms enforce application execution policies?
- •How do you update allowed/denied application lists?
- •What logging captures blocked application execution attempts?
- •How do you handle exceptions and approve new applications?
Evidence & Documentation:
- •What baseline configuration documentation can you provide?
- •What configuration management plan describes your CM processes?
- •What change request records and approvals can you show?
- •What configuration scanning reports show compliance with baselines?
- •What asset inventory documentation lists all system components?
- •What security configuration benchmarks are applied to systems?
- •What evidence shows configuration changes are tracked and logged?
Ask AI
Configure your API key to use AI features.