Least Functionality

Least functionality is the security principle of configuring systems to provide only the capabilities required for their intended purpose — disabling or removing all unnecessary functions, ports, protocols, services, and software. A system should do what it needs to do and nothing more.

In practice, least functionality means disabling unused services, removing unnecessary software, closing unneeded network ports, restricting available system functions based on user role, and preventing the installation of unauthorized programs. This reduces your attack surface by eliminating potential entry points that aren't needed for business operations.

Why It Matters

Least functionality is a specific CMMC requirement under configuration management. Every unnecessary service or application on a system is a potential vulnerability. Assessors will verify that your systems are configured to minimum functionality needed for their mission.

Related Resources

CMMC: CM.L2-3.4.6
NIST 800-171: 3.4.6
NIST 800-53: CM-7