CMMC Practice Requirement:

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

CMMC Requirement Explanation:

By removing non-mission essential software, ports, and services from your system you are reducing their attack surface.

Example CMMC Implementation:

Review the systems deployed at your company and remove non-essential software, ports, and services. Your systems should only have enough functionality to complete their mission.


- Scenario 1:

Alice, a system administrator wants to ensure that her servers are configured in accordance with the prinicpal of least functionality. She runs port scans against them and identifies several open ports that are non-essential. She closes the ports thus reducing their attack surface.

- Scenario 2:

Alice conducts an audit of her company's workstations and discovers that several users have installed video games on their computers. She uninstalls the games and any other non-essential software from the workstations.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance