NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-7(1)Periodic Review

Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and Disable or remove {{ insert: param, cm-7.1_prm_2 }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.

Practitioner Notes

This enhancement requires periodic review of your system functions, ports, protocols, and services to ensure nothing unnecessary has crept in over time.

Example 1: Conduct quarterly Nmap scans of your network to identify any new open ports or services that were not in the approved baseline, and disable any unauthorized ones.

Example 2: Review Windows Firewall rules and running services on all servers every 90 days, removing any that are no longer needed for business operations.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency