CM-7—Least Functionality
>Control Description
Configure the system to provide only ⚙organization-defined mission essential capabilities; and
Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: ⚙organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.
>DoD Impact Level Requirements
Additional Requirements and Guidance
CM-7 (b) Requirement: The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.
>Discussion
Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component.
Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services.
Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).
>Programmatic Queries
Related Services
CLI Commands
aws ec2 describe-security-groups --filters 'Name=ip-permission.cidr,Values=0.0.0.0/0'aws ec2 describe-network-interfaces --query 'NetworkInterfaces[*].Groups[*].GroupId' --output text | sort -uaws ssm send-command --instance-ids INSTANCE_ID --document-name 'AWS-RunShellScript' --parameters 'commands=["systemctl list-units --type=service --state=running"]'>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of CM-7 (Least Functionality)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring CM-7?
- •How frequently is the CM-7 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to CM-7?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce CM-7 requirements.
- •What automated tools, systems, or technologies are deployed to implement CM-7?
- •How is CM-7 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce CM-7 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of CM-7?
- •What audit logs, records, reports, or monitoring data validate CM-7 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of CM-7 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate CM-7 compliance?
Ask AI
Configure your API key to use AI features.