NIST SP 800-171 & CMMC 2.0 3.4.6 Requirement:
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
NIST SP 800-171 & CMMC 2.0 3.4.6 Requirement Explanation:
Modify your systems to remove non-essential applications, disable unnecessary services, and close unused ports. Systems come with many unnecessary applications and settings enabled by default including unused ports and protocols. Leave only the fewest capabilities necessary for the systems to operate effectively. By removing non-mission essential software, ports, and services from your devices you are reducing their attack surface.
Example NIST SP 800-171 & CMMC 2.0 3.4.6 Implementation:
Review the systems deployed at your company and remove non-essential software, ports, and services. Your systems should only have enough functionality to complete their mission. Review all your computers and servers for unnecessary software and uninstall them. Unnecessary software is software that does not have a business need. Scan your server's ports using the Nmap software to identify open ports. Close/disable any non-essential ports and services identified in the scan.
NIST SP 800-171 & CMMC 2.0 3.4.6 Scenario(s):
- Scenario 1:
Alice, a system administrator wants to ensure that her servers are configured in accordance with the prinicpal of least functionality. She runs port scans against them and identifies several open ports that are non-essential. She closes the ports thus reducing their attack surface.
- Scenario 2:
Alice conducts an audit of her company's workstations and discovers that several users have installed video games on their computers. She uninstalls the games and any other non-essential software from the workstations.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.