>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CM-7(5)Least Functionality | Authorized Software -- Allow-by-exception

IL4 Mod
IL4 High
IL5
IL6

>Control Description

(a) Identify organization-defined software programs authorized to execute on the system; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and update the list of authorized software programs organization-defined frequency.

>DoD Impact Level Requirements

FedRAMP Parameter Values

CM-7 (5) (c) [at least quarterly or when there is a change]

DoD FedRAMP+ Parameters

DSPAV must be used.

>Discussion

Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries.

The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup.

The identification of authorized URLs for websites is addressed in CA-3(5) and SC-7.

>Programmatic Queries

Beta

Related Services

AWS Systems Manager
AWS EC2 Image Builder

CLI Commands

Create Systems Manager parameter for authorized software list
aws ssm put-parameter --name /security/authorized-software --value file://authorized-apps.json --type String --region us-east-1
Create custom AMI with only authorized software
aws imagebuilder create-image-pipeline --infrastructure-configuration-arn arn:aws:imagebuilder:us-east-1:123456789012:infrastructure-configuration/secure-config --component-configuration-list file://components.json
Scan instance for unauthorized software
aws ssm send-command --document-name AWS-RunShellScript --instance-ids i-1234567890abcdef0 --parameters 'commands=["rpm -qa"]' --region us-east-1
List approved software packages
aws ssm get-parameter --name /security/authorized-software --region us-east-1
Open AWS ConsoleDocumentation

>Related Controls

CM-2
CM-6
CM-8
CM-10
PL-9
PM-5
SA-10
SC-34
SI-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-7(5) (Authorized Software -- Allow-By-Exception)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-7(5)?
  • How frequently is the CM-7(5) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-7(5)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-7(5) requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-7(5)?
  • How is CM-7(5) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-7(5) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-7(5)?
  • What audit logs, records, reports, or monitoring data validate CM-7(5) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-7(5) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-7(5) compliance?

Ask AI

Configure your API key to use AI features.