NIST SP 800-171 & CMMC 2.0 Control 3.4.6 Requirement:

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

NIST SP 800-171 & CMMC 2.0 3.4.6 Requirement Explanation:

Modify your systems to remove non-essential applications, disable unnecessary services, and close unused ports. Systems come with many unnecessary applications and settings enabled by default including unused ports and protocols. Leave only the fewest capabilities necessary for the systems to operate effectively. By removing non-mission essential software, ports, and services from your devices you are reducing their attack surface.

Example NIST SP 800-171 & CMMC 2.0 3.4.6 Implementation:

Review the systems deployed at your company and remove non-essential software, ports, and services. Your systems should only have enough functionality to complete their mission. Review all your computers and servers for unnecessary software and uninstall them. Unnecessary software is software that does not have a business need. Scan your server's ports using the Nmap software to identify open ports. Close/disable any non-essential ports and services identified in the scan.

NIST SP 800-171 & CMMC 2.0 3.4.6 Scenario(s):

- Scenario 1:

Alice, a system administrator wants to ensure that her servers are configured in accordance with the prinicpal of least functionality. She runs port scans against them and identifies several open ports that are non-essential. She closes the ports thus reducing their attack surface.

- Scenario 2:

Alice conducts an audit of her company's workstations and discovers that several users have installed video games on their computers. She uninstalls the games and any other non-essential software from the workstations.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.