Configuration Management 3.4.7 (3.4.7)

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to identify and disable unnecessary software, network services, ports, and protocols that could increase attack surface or introduce security risks. Organizations must determine which capabilities are essential for business operations and restrict or prevent everything else. This includes blocking unauthorized applications, disabling unused network services, closing unnecessary ports, and preventing risky protocols like FTP or peer-to-peer file sharing. The goal is to minimize potential entry points for attackers by reducing the system's attack surface to only what is absolutely necessary.

Control Intent

Minimize attack surface and reduce security risk by ensuring only essential and approved software, services, ports, and protocols are available on systems processing or storing CUI.

Who This Control Applies To

  • All endpoints (workstations, laptops, mobile devices) in the CUI environment
  • All servers (application servers, database servers, file servers, domain controllers) in the CUI environment
  • Network devices (routers, switches, firewalls) that support CUI systems
  • Virtual machines and containers hosting CUI workloads
  • Cloud-based systems and services processing or storing CUI

Not Applicable When

  • Systems that do not process, store, or transmit CUI
  • Systems completely isolated from the CUI environment with no network connectivity or data exchange
  • Standalone systems used exclusively for non-CUI purposes with documented network segmentation

Key Objectives

  • 1Prevent unauthorized or unnecessary software from executing on systems
  • 2Disable network services, ports, and protocols that are not required for business operations
  • 3Reduce the attack surface available to potential adversaries
  • 4Establish and enforce organizational determinations about what constitutes essential versus nonessential capabilities

Sample Self-Assessment Questions (Partial)

Have you identified which software applications are approved for use on systems that handle CUI?

Do you have a process to prevent users from installing unauthorized software?

Implementation Approaches (High-Level)

Application Whitelisting with Centralized Policy

Deploy application control technology that allows only approved executables, scripts, and libraries to run, managed through centralized policy

Service Hardening and Baseline Configuration

Implement hardened configuration baselines that disable unnecessary services, protocols, and features on endpoints and servers

Network Port and Protocol Restriction

Configure firewalls, network devices, and host-based controls to block unnecessary network ports and protocols

Endpoint Device Control

Restrict or disable hardware interfaces and peripheral devices that are not required for business operations

Role-Based Software Execution Restrictions

Limit which user roles or groups can execute specific types of software, scripts, or administrative tools

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If application whitelisting is not yet deployed, create a phased implementation plan starting with servers and high-value endpoints, with interim compensating controls such as removing local admin rights and enhanced monitoring If service hardening is incomplete, prioritize disabling high-risk services (SMBv1, LLMNR, NetBIOS) and protocols (FTP, Telnet) first, then address remaining nonessential services in subsequent phases If no formal process exists for determining essential versus nonessential capabilities, develop and document the process first, then apply it systematically to different system types If restrictions are inconsistently applied, document current state, identify gaps, and create a remediation plan organized by system criticality If users have local administrator rights preventing effective restrictions, implement a privileged access management solution or remove admin rights with a plan to address resulting support needs Include specific milestones such as: policy development, technology selection and procurement, pilot deployment, phased rollout, and validation testing Address resource constraints by focusing on CUI systems first and expanding to supporting infrastructure in later phases For legacy systems that cannot support modern application control, document compensating controls such as network isolation, enhanced monitoring, and strict change control

Related CMMC Controls

3.4.13.4.23.4.83.4.93.1.53.3.13.3.23.6.13.12.13.12.4

Frequently Asked Questions

What does this control require organizations to do?

This control requires organizations to identify which software, services, network ports, protocols, and system features are truly necessary for business operations, and then restrict, disable, or prevent everything else. This includes blocking unauthorized applications, disabling unused network services, closing unnecessary ports, and preventing risky protocols. The goal is to minimize the attack surface by ensuring only essential capabilities are available on systems handling CUI.

What is the difference between restricting, disabling, and preventing in this control?

Restricting means limiting who can use a capability or under what conditions (e.g., only administrators can run PowerShell). Disabling means turning off a service or feature so it cannot be used at all (e.g., disabling the Print Spooler service). Preventing means blocking something from being installed or executed in the first place (e.g., application whitelisting that prevents unauthorized software from running). Organizations should use the most appropriate method based on the capability and risk.

How do we determine what is essential versus nonessential?

Organizations must make security-based determinations considering business requirements, system roles, and risk. Essential capabilities are those required for the system to perform its intended business function. Everything else is nonessential. This determination should be documented, reviewed by security and business stakeholders, and updated as needs change. Industry hardening guides (CIS Benchmarks, DISA STIGs) provide good starting points for common system types.

Does this control require application whitelisting specifically?

The control does not mandate a specific technology, but application whitelisting (allowing only approved software to run) is one of the most effective ways to restrict nonessential programs. Other acceptable approaches include blacklisting known bad software, removing local administrator rights, using software restriction policies, or implementing privileged access management. The key is demonstrating that nonessential programs are effectively prevented from executing.

What are examples of protocols organizations commonly restrict or disable?

The control specifically mentions FTP, Bluetooth, and peer-to-peer networking as examples. Other commonly restricted protocols include Telnet, TFTP, SMBv1, LLMNR, NetBIOS, SNMP v1/v2, and HTTP (unencrypted web traffic). Organizations should evaluate each protocol based on security risk and business necessity. Modern secure alternatives (SFTP instead of FTP, SSH instead of Telnet) should be used when the function is required.

How is this control verified during a CMMC assessment?

Assessors will review your documented process for identifying essential versus nonessential capabilities, examine configuration evidence from sampled systems (service lists, firewall rules, application control policies), and may perform network scans to verify only approved ports and services are accessible. They will look for consistency across systems, proper documentation of exceptions, and evidence that restrictions are actively enforced rather than just documented. Expect to justify why each enabled service or approved application is essential for business operations.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.