NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT
CM-11 — User-installed Software
Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users; Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and Monitor policy compliance {{ insert: param, cm-11_odp.03 }}.
Supplemental Guidance
If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved "app stores." Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.
Practitioner Notes
This control restricts users from installing software on their own — only approved software should be installed, and only through approved methods.
Example 1: Remove local administrator rights from standard users via Group Policy so they cannot install software on their workstations without IT involvement.
Example 2: Provide a self-service Intune Company Portal or SCCM Software Center where users can install only pre-approved applications without needing admin rights.