Overview
  1. 03.01: Access Control
  2. 03.02: Awareness and Training
  3. 03.03: Audit and Accountability
  4. 03.04: Configuration Management
  5. 03.05: Identification and Authentication
  6. 03.06: Incident Response
  7. 03.07: Maintenance
  8. 03.08: Media Protection
  9. 03.09: Personnel Security
  10. 03.10: Physical Protection
  11. 03.11: Risk Assessment
  12. 03.12: Security Assessment
  13. 03.13: System and Communications Protection
  14. 03.14: System and Information Integrity

Security Requirements for 03.04.07 Nonessential Functionality

Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.

Evidence

  1. 03.04.07.a

    Essential programs are defined

  1. 03.04.07.b

    The use of nonessential programs is defined

  1. 03.04.07.c

    The use of nonessential programs is restricted, disabled, or prevented as defined

  1. 03.04.07.d

    Essential functions are defined

  1. 03.04.07.e

    The use of nonessential functions is defined

  1. 03.04.07.f

    The use of nonessential functions is restricted, disabled, or prevented as defined

  1. 03.04.07.g

    Essential ports are defined

  1. 03.04.07.h

    The use of nonessential ports is defined

  1. 03.04.07.i

    The use of nonessential ports is restricted, disabled, or prevented as defined

  1. 03.04.07.j

    Essential protocols are defined

  1. 03.04.07.k

    The use of nonessential protocols is defined

  1. 03.04.07.l

    The use of nonessential protocols is restricted, disabled, or prevented as defined

  1. 03.04.07.m

    Essential services are defined

  1. 03.04.07.n

    The use of nonessential services is defined

  1. 03.04.07.o

    The use of nonessential services is restricted, disabled, or prevented as defined