NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-7(4)Unauthorized Software — Deny-by-exception

Identify {{ insert: param, cm-07.04_odp.01 }}; Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and Review and update the list of unauthorized software programs {{ insert: param, cm-07.04_odp.02 }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Unauthorized software programs can be limited to specific versions or from a specific source. The concept of prohibiting the execution of unauthorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses.

Practitioner Notes

This enhancement implements a deny-by-exception approach to software — everything is blocked unless explicitly authorized. This is a strong security posture.

Example 1: Configure Windows Defender Application Control (WDAC) in enforce mode to block all unsigned or unapproved applications, with a formal exception process for business needs.

Example 2: Deploy Carbon Black App Control to block unapproved software from executing on endpoints, requiring IT security approval to add new applications to the allowlist.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency