>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC
Compare

CM-7 (05)Least Functionality | Authorized Software -- Allow-by-exception

Moderate
High

>Control Description

(a) Identify organization-defined software programs authorized to execute on the system; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and update the list of authorized software programs organization-defined frequency.

>FedRAMP Baseline Requirements

Parameter Values

>Discussion

Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries.

The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup.

The identification of authorized URLs for websites is addressed in CA-3 (5) and SC-7.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-7(5) (Authorized Software -- Allow-By-Exception)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-7(5)?
  • How frequently is the CM-7(5) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-7(5)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-7(5) requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-7(5)?
  • How is CM-7(5) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-7(5) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-7(5)?
  • What audit logs, records, reports, or monitoring data validate CM-7(5) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-7(5) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-7(5) compliance?

Ask AI

Configure your API key to use AI features.