NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-7(2)Prevent Program Execution

Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time.

Practitioner Notes

This enhancement requires automated mechanisms to prevent unauthorized software from running — not just policies, but technical enforcement.

Example 1: Deploy AppLocker or WDAC policies via Group Policy to technically prevent users from running executables that are not on the approved allowlist.

Example 2: Use SELinux or AppArmor on Linux systems to confine applications to only the resources and actions they need, blocking unauthorized program execution.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency