NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-7(8)Binary or Machine Executable Code

Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Binary or machine executable code applies to all sources of binary or machine-executable code, including commercial software and firmware and open-source software. Organizations assess software products without accompanying source code or from sources with limited or no warranty for potential security impacts. The assessments address the fact that software products without the provision of source code may be difficult to review, repair, or extend. In addition, there may be no owners to make such repairs on behalf of organizations. If open-source software is used, the assessments address the fact that there is no warranty, the open-source software could contain back doors or malware, and there may be no support available.

Practitioner Notes

This enhancement prohibits using binary or machine-executable code from unknown or untrusted sources — if you cannot verify where the code came from, do not run it.

Example 1: Block execution of downloaded executables that lack valid digital signatures using Windows SmartScreen and WDAC policies.

Example 2: Prohibit developers from using pre-compiled binary dependencies without verifying their source and integrity through hash verification or trusted package registries.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency