← Controls / CM

CM-07 Least Functionality

Configuration Management

Low Moderate High

Description

The organization configures the information system to provide only essential capabilities and specifically prohibits and/or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited and/or restricted functions, ports, protocols, and/or services].

Supplemental Guidance

Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from a single component of an information system, but doing so increases risk over limiting the services provided by any one component. Where feasible, the organization limits component functionality to a single function per device (e.g., email server or web server, not both). The functions and services provided by information systems, or individual components of information systems, are carefully reviewed to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, File Transfer Protocol, Hyper Text Transfer Protocol, file sharing).

Changes from Rev 4

Adds parameter text for 'mission' essential capabilities Discussion expanded slightly

Enhancements

(1) The organization reviews the information system [Assignment: organization-defined frequency], to identify and eliminate unnecessary functions, ports, protocols, and/or services.

MITRE ATT&CK Techniques (225)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Reconnaissance 1 Initial Access 8 Execution 24 Persistence 46 Privilege Escalation 37 Defense Evasion 79 Credential Access 20 Discovery 9 Lateral Movement 14 Collection 13 Command & Control 26 Exfiltration 10 Impact 12
Show all 225 techniques grouped by tactic

Reconnaissance

T1590.002

Persistence

T1037 T1053 T1078 T1098 T1133 T1136 T1176 T1197 T1205 T1525 T1543 T1556 T1574 T1653 T1037.001 T1053.002 T1053.005 T1078.004 T1098.001 T1098.004 T1098.007 T1136.002 T1136.003 T1205.001 T1505.004 T1542.004 T1542.005 T1546.002 T1546.006 T1546.008 T1546.009 T1546.010 T1547.004 T1547.006 T1547.007 T1547.009 T1556.002 T1556.008 T1556.009 T1574.001 T1574.006 T1574.007 T1574.008 T1574.009 T1574.012 T1574.014

Privilege Escalation

T1037 T1053 T1068 T1078 T1098 T1484 T1543 T1548 T1574 T1611 T1037.001 T1053.002 T1053.005 T1078.004 T1098.001 T1098.004 T1098.007 T1546.002 T1546.006 T1546.008 T1546.009 T1546.010 T1547.004 T1547.006 T1547.007 T1547.009 T1548.001 T1548.003 T1548.004 T1548.006 T1574.001 T1574.006 T1574.007 T1574.008 T1574.009 T1574.012 T1574.014

Defense Evasion

T1027 T1036 T1078 T1112 T1127 T1197 T1205 T1216 T1218 T1220 T1221 T1484 T1548 T1553 T1556 T1562 T1574 T1599 T1601 T1610 T1612 T1622 T1647 T1036.005 T1036.007 T1036.008 T1078.004 T1127.002 T1205.001 T1216.001 T1216.002 T1218.001 T1218.002 T1218.003 T1218.004 T1218.005 T1218.007 T1218.008 T1218.009 T1218.012 T1218.013 T1218.014 T1218.015 T1542.004 T1542.005 T1548.001 T1548.003 T1548.004 T1548.006 T1553.001 T1553.003 T1553.004 T1553.005 T1553.006 T1556.002 T1556.008 T1556.009 T1562.001 T1562.002 T1562.003 T1562.004 T1562.006 T1562.009 T1562.010 T1564.002 T1564.003 T1564.006 T1564.008 T1564.009 T1574.001 T1574.006 T1574.007 T1574.008 T1574.009 T1574.012 T1574.014 T1599.001 T1601.001 T1601.002

Compliance Mappings

ISO 27001:2022

A.8.1A.8.18A.8.19A.8.9

ISO 27002:2022

5.378.18.188.198.9

COBIT 2019

BAI10

CIS Controls v8

CIS 10.3CIS 12CIS 2CIS 2.3CIS 2.5CIS 2.6CIS 2.7CIS 4CIS 4.8CIS 9.1CIS 9.4

NIST CSF 2.0

PR.PS-01PR.PS-02PR.PS-05

SOC 2 TSC

CC6.1-POF7CC6.7-POF1

PCI DSS v4.0.1

1.2.52.22.2.5

CSA CCM v4

UEM-02UEM-10

CSA AICM v1

UEM-02UEM-10

FINOS CCC

CCC-C14

ISO 42001:2023

A.9.4

IEC 62443

3-3 SR 7.63-3 SR 7.7

NIS2 Directive

Art. 21(2)(g)

MAS TRM

11

ASD Essential Eight

E8-1E8-1 ML1E8-1 ML2E8-1 ML3E8-3E8-3 ML1E8-3 ML2E8-3 ML3E8-4E8-4 ML1E8-4 ML2E8-4 ML3

BSI IT-Grundschutz

APP.1.1NET.1.2NET.3.1SYS.1.1SYS.2.1

ANSSI

Hygiene.18Hygiene.20SecNumCloud.13.1

FINMA Circular 2023/1

IV.A(28)IV.C(64)IV.C(65)

OSFI B-13

B-13.2.2B-13.3.2

EU GDPR

Art.25(1)Art.25(2)Art.32(1)(b)

EU DORA

Art.7(1)Art.9(1)

BIO2

5.378.18.188.198.9

RBI CSF

Annex1.2Annex1.5

FISC Security Guidelines

FISC.T14FISC.T7

MLPS 2.0

8.1.10.48.1.4.4

DNB Good Practice

DNB.13.2DNB.20.1DNB.3.2

EU CRA

CRA.I.2bCRA.I.2jCRA.Info.8e

SWIFT CSCF

SWIFT.1.1SWIFT.1.4SWIFT.2.10SWIFT.2.2SWIFT.2.3

SAMA CSF

3.33.5

NCA ECC

2-142-32-65-1

UAE IA

T7

Qatar NIA

OS

CBUAE

CR-7

CBE CSF

CTO-6CTO-7

SA JS2

JS2-7.2JS2-8.4

CBN CSF

Part3.3

BoG CISD

CISD-VI

POPIA

s19

BoM CTRM

3.123.2

CPMI-IOSCO PFMI

CG.PR

FFIEC IS

II.C.10II.C.11II.C.13(e)II.C.15(a)

ECB CROE

CROE.2.3.4

EBA ICT Guidelines

3.4.4

SEBI CSCRF

PR.ESPR.IP

BOT Cyber Resilience

Ch2.1Ch2.6

CMMC 2.0

CM

NERC CIP

CIP-005-7CIP-007-6

10 CFR 73.54

RG5.71-B-CM

IEEE 1686-2022

5.65.9

FERC CIP Orders

Order 887

DOE C2M2 v2.1

ASSET

API 1164

Sec 7

IAEA NSS 17-T

Sec 5.4

FIPS 140-3

FIPS 140-3 §7.6

Common Criteria

CC Part 2 — FMT

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.8

Lloyd's Minimum Standards

MS8.10MS8.4

NAIC Insurance Data Security

4-config4B

FCA SYSC 13

SYSC 13.7.1

HITRUST CSF v11

09.a

FDA 21 CFR Part 11

§11.10(f)

ISO 27799

6.3

NHS DSPT

NDG-4.4

OWASP MASVS v2.1

MASVS-PLATFORM-1MASVS-PLATFORM-2

CCSS v9.0

1.02.11.05.4

MiCA

Art.68(1)Art.62(5)

Basel SCO60

SCO60.51SCO60.64SCO60.65

BSSC Standards

NOS-03TIS-03

ISO 17799 (legacy)

None.

COBIT 4.1 (legacy)

None.