The Principle of Least Functionality, Simplicity is the Ultimate Sophistication
Employing the principle of least functionality is critical for organizations seeking to reduce their cyber risk.
Join our newsletter:
What is the Principle of Least Functionality?
The principle of least functionality calls for the configuration of systems to provide only essential capabilities. This means that systems are to only have mission-essential software installed, only essential ports open and essential services on. Nothing more nothing less.
Benefits of the Principle of Least Functionality
The principle of least functionality provides several benefits. The most apparent benefit is that systems configured to provide only essential capabilities have an inherently smaller attack surface. Why? Because they only have essential ports open, they only have essential software installed, and they have a limited number of services on. As a result an attacker has less avenues of attack. There are less ports, software, and services for the attacker to exploit. Is it easier to attack a web server with only ports 80 (HTTP), and 443 (HTTPS) open or a web server with ports 80, 443, and 21 (FTP) open? Obviously the web server with more open ports is easier to attack.
Another benefit of the principle of least functionality is that systems with only essential capabilities are easier to maintain. Why? Because they have less software installed, IT staff have less software to patch. Because they have less services on, there is less that can go wrong. A system configured with the principle of least functionality is also easier to troubleshoot.
As Leonardo Da Vinci said, “simplicity is the ultimate sophistication”.
Least Functionality vs. Least Privilege
People new to information security and cybersecurity often confuse “least functionality” with “least privilege”. Least functionality deals with how systems are configured, least privilege deals with providing hat users and programs only the necessary privileges to complete their tasks. Least privilege is determining which user account should have which privileges. This involves assigning administrative rights to some users and not others.
CMMC Least Functionality Requirement
Companies with cybersecurity maturity model certification (CMMC) level two or higher requirements are required to employ the principle of least functionality.
Here is the CMMC least functionality requirement, “CM.2.062 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.“
For more on this CMMC requirement check out our CMMC handbook CMMC handbook
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.