CMMC Practice Requirement:
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
CMMC Requirement Explanation:
By restricting the software that can be installed and run on your systems you reduce the risk of malicious software from running. A software whitelisting policy provides more security than a black list. Whitelists are also easier to maintain.
Example CMMC Implementation:
You need to enforce either a software blacklist or whitelist policy on your systems. Blacklist (deny-by-exception) option: Create a list of software that is not allowed on your systems. Enforce this list on your systems to prevent users from running or installing black listed software. You might be able to use the anti-virus software installed on your system to enforce your blacklist. Whitelist (deny-all, permit-by-exception) option: Create a list of software this allowed on your systems. Enforce this list to prevent users from running and installing unauthorized software. You might be able to use the anti-virus software installed on your system to enforce your whitelist.
- Scenario 1:
Your company has a software black list. It includes common non-essential programs that your employees like to use such as iTunes and Spotify. You use your enterprise anti-virus solution to apply your blacklist to your systems. Whenever a user attempts to run or install the blacklisted software they are prevented from doing so.
- Scenario 2:
Your company has a software whitelist. It includes your standard software configuration (Microsoft Office, Anti-Virus, Adobe Acrobat etc.) and other software that has an approved business need. You use your enterprise anti-virus solution to apply your whitelist to your systems. Software that is not on the whitelist is no blocked from running.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance