NIST SP 800-171 & CMMC 2.0 3.4.8 Requirement:

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

NIST SP 800-171 & CMMC 2.0 3.4.8 Requirement Explanation:

By restricting the software that can be installed and run on your systems you reduce the risk of malicious software from running. A software whitelisting policy provides more security than a black list. Whitelists are also easier to maintain.

Example NIST SP 800-171 & CMMC 2.0 3.4.8 Implementation:

You need to enforce either a software blacklist or whitelist policy on your systems. Blacklist (deny-by-exception) option: Create a list of software that is not allowed on your systems. Enforce this list on your systems to prevent users from running or installing black listed software. You might be able to use the anti-virus software installed on your system to enforce your blacklist. Whitelist (deny-all, permit-by-exception) option: Create a list of software this allowed on your systems. Enforce this list to prevent users from running and installing unauthorized software. You might be able to use the anti-virus software installed on your system to enforce your whitelist.

NIST SP 800-171 & CMMC 2.0 3.4.8 Scenario(s):

- Scenario 1:

Your company has a software black list. It includes common non-essential programs that your employees like to use such as iTunes and Spotify. You use your enterprise anti-virus solution to apply your blacklist to your systems. Whenever a user attempts to run or install the blacklisted software they are prevented from doing so.

- Scenario 2:

Your company has a software whitelist. It includes your standard software configuration (Microsoft Office, Anti-Virus, Adobe Acrobat etc.) and other software that has an approved business need. You use your enterprise anti-virus solution to apply your whitelist to your systems. Software that is not on the whitelist is no blocked from running.
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.