SA-7 — User-installed Software

This control (withdrawn and incorporated into CM-11 and SI-7) addresses user-installed software — ensuring that users cannot install unauthorized software that might introduce vulnerabilities, malware, or licensing violations.

Example 1: Remove local administrator privileges from standard users so they cannot install software on their own. Use a software deployment tool (SCCM, Intune, PDQ Deploy) to manage all software installations centrally. Users request software through a ticketing system; IT approves and deploys it.

Example 2: Configure application control policies (AppLocker or Windows Defender Application Control) to allow only approved applications to run. Create allow-list rules based on publisher certificates or file paths. Blocked attempts are logged and reviewed by the security team weekly.