NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-7(6)Confined Environments with Limited Privileges

Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: {{ insert: param, cm-07.06_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations identify software that may be of concern regarding its origin or potential for containing malicious code. For this type of software, user installations occur in confined environments of operation to limit or contain damage from malicious code that may be executed.

Practitioner Notes

This enhancement requires running software in confined environments with limited privileges — sandboxing or containerization to limit the damage if software is compromised.

Example 1: Run web-facing applications in Docker containers with minimal privileges and no access to the host filesystem beyond their designated volumes.

Example 2: Use Windows Sandbox or Microsoft Application Guard to open untrusted files and browse untrusted websites in an isolated environment.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency