CMMC 2.0 • LEVEL 2 • CONFIGURATION MANAGEMENT
CM.L2-3.4.6 — Least Functionality
Configure the system to provide only mission-essential capabilities. Prohibit or restrict use of the following functions, ports, protocols, connections, and services: peer-to-peer file sharing, unauthorized remote access tools, cryptocurrency mining software, unapproved cloud sync clientsCMMC/STIG . Review the system annually or following significant system changesCMMC/STIG to identify unnecessary or nonsecure functions, ports, protocols, connections, and services. Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure.
Assessment Objectives
- the use of the following functions is prohibited or restricted: peer-to-peer file sharing, unauthorized remote access tools, cryptocurrency mining software, unapproved cloud sync clientsCMMC/STIG.
- the use of the following ports is prohibited or restricted: Telnet, FTP (plaintext), SNMPv1/v2, rsh/rlogin, and TFTP (unless operationally required)CMMC/STIG.
- the use of the following protocols is prohibited or restricted: all ports and protocols not explicitly required and documented in the SSP (default-deny with allow-list)CMMC/STIG.
- the use of the following connections is prohibited or restricted: USB storage auto-run, Bluetooth (if not required for operations), and direct memory access from external interfacesCMMC/STIG.
- the use of the following services is prohibited or restricted: personal email clients, social media applications, and other applications not required for mission functionsCMMC/STIG.
- the system is reviewed annually or following significant system changesCMMC/STIG to identify unnecessary or nonsecure functions, ports, protocols, connections, and services.
- unnecessary or nonsecure functions, ports, protocols, connections, and services are disabled or removed.
- the system is configured to provide only mission-essential capabilities.
Practitioner Notes
Practitioner commentary coming soon.