NIST 800-171 • LEVEL 2 • CONFIGURATION MANAGEMENT
3.4.8 — Authorized Software – Allow by Exception
Identify software programs authorized to execute on the system. Implement a deny-all, allow-by-exception policy for the execution of authorized software programs on the system. Review and update the list of authorized software programs {{ insert: param, A.03.04.08.ODP.01 }}.
CMMC Practice Mapping
Assessment Objectives
- software programs authorized to execute on the system are identified.
- a deny-all, allow-by-exception policy for the execution of authorized software programs on the system is implemented.
- the list of authorized software programs is reviewed and updated {{ insert: param, A.03.04.08.ODP.01 }}.
Practitioner Notes
This is application whitelisting — you keep a list of approved software, and everything else is blocked by default. Instead of trying to identify every bad program (which is impossible), you define what is allowed and deny everything else.
This is one of the most effective controls you can implement against malware and unauthorized software.
Example 1: Deploy Windows Defender Application Control (WDAC) using Microsoft Intune. In the Intune Admin Center > Endpoint Security > Application Control, create a policy that allows only Microsoft-signed and your organization-signed applications. Start in audit mode to identify gaps, then switch to enforce mode once your authorized software list is finalized.
Example 2: Use a third-party tool like Carbon Black App Control (formerly Cb Protection). Define your approved software list in the management console under Rules > Software Rules. Set the enforcement level to "High" so only approved publishers and file hashes can execute. Review the "Unapproved Files" report monthly to update the list as legitimate new software is deployed.