CMMC 2.0 • LEVEL 2 • CONFIGURATION MANAGEMENT

CM.L2-3.4.8Authorized Software – Allow by Exception

Identify software programs authorized to execute on the system. Implement a deny-all, allow-by-exception policy for the execution of authorized software programs on the system. Review and update the list of authorized software programs organization-approved applications defined in the application allowlistCMMC/STIG.

NIST 800-171 Mapping

NIST 800-53 Controls

CM-7(4)CM-7(5)

Assessment Objectives

  • software programs authorized to execute on the system are identified.
  • a deny-all, allow-by-exception policy for the execution of authorized software programs on the system is implemented.
  • the list of authorized software programs is reviewed and updated organization-approved applications defined in the application allowlistCMMC/STIG.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

CM.L1-3.4.1 Baseline Configuration CM.L1-3.4.2 Configuration Settings CM.L2-3.4.3 Configuration Change Control CM.L2-3.4.4 Impact Analyses