CMMC Practice Requirement:

Control and monitor user-installed software.

CMMC Requirement Explanation:

Allowing users to install software on their systems increases cyber risk. They can accidentally install malware on their systems and the more software you have on your systems the larger your attack surface. It is is also difficult to keep unapproved software updated which can result in increased risk.

Example CMMC Implementation:

Do not provide your end users with administrative privileges as this allows them to install any software they wish. Uninstall any software from your systems that does not have an approved business need.


- Scenario 1:

John, an end user attempts to install a game onto his company workstation. He is prompted for an admin password. Because he is not an admin he is unable to install the game. John asks Alice, a system administrator to install it. She informs him that only approved software may be installed.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance