NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-7(7)Code Execution in Protected Environments

Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of {{ insert: param, cm-07.07_odp }} when such code is: Obtained from sources with limited or no warranty; and/or Without the provision of source code.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Code execution in protected environments applies to all sources of binary or machine-executable code, including commercial software and firmware and open-source software.

Practitioner Notes

This enhancement requires code to execute in protected environments with integrity verification — ensuring code has not been tampered with before execution.

Example 1: Enable Secure Boot and Measured Boot on all systems to verify the integrity of boot code and operating system components before they execute.

Example 2: Use code signing certificates for all internally developed applications and configure systems to only execute code with valid signatures.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency