NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT
CM-7(5) — Authorized Software — Allow-by-exception
Identify {{ insert: param, cm-07.05_odp.01 }}; Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}.
Supplemental Guidance
Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7).
Practitioner Notes
This enhancement implements an allow-by-exception approach — you maintain a list of approved software, and only software on that list is permitted to run.
Example 1: Create AppLocker allowlist policies that permit only signed Microsoft applications and your organization's approved business applications to execute.
Example 2: Use your Intune managed apps feature to deploy only approved applications to devices and block installation of applications from outside the managed catalog.