The principle of least functionality calls for the configuration of systems to provide only essential capabilities. This means that systems are to only have mission-essential software installed, only essential ports open and essential services on. Nothing more nothing less.

The principle of least functionality provides several benefits. The most apparent benefit is that systems configured to provide only essential capabilities have an inherently smaller attack surface. Why? Because they only have essential ports open, they only have essential software installed, and they have a limited number of services on. As a result an attacker has less avenues of attack. There are less ports, software, and services for the attacker to exploit. Is it easier to attack a web server with only ports 80 (HTTP), and 443 (HTTPS) open or a web server with ports 80, 443, and 21 (FTP) open? Obviously the web server with more open ports is easier to attack.

Another benefit of the principle of least functionality is that systems with only essential capabilities are easier to maintain. Why? Because they have less software installed, IT staff have less software to patch. Because they have less services on, there is less that can go wrong. A system configured with the principle of least functionality is also easier to troubleshoot.

As Leonardo Da Vinci said, “simplicity is the ultimate sophistication”.

People new to information security and cybersecurity often confuse “least functionality” with “least privilege”. Least functionality deals with how systems are configured, least privilege deals with providing hat users and programs only the necessary privileges to complete their tasks. Least privilege is determining which user account should have which privileges. This involves assigning administrative rights to some users and not others.

Companies with cybersecurity maturity model certification (CMMC) level two or higher requirements are required to employ the principle of least functionality.

Here is the CMMC least functionality requirement, “CM.2.062 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.“

For more on this CMMC requirement check out our CMMC handbook CMMC handbook