Least functionality

The Principle of Least Functionality, Simplicity is the Ultimate Sophistication

February 15, 2021
Employing the principle of least functionality is critical for organizations seeking to reduce their cyber risk.

What is the Principle of Least Functionality?

The principle of least functionality calls for the configuration of systems to provide only essential capabilities. This means that systems are to only have mission-essential software installed, only essential ports open and essential services on. Nothing more nothing less.

Benefits of the Principle of Least Functionality

The principle of least functionality provides several benefits. The most apparent benefit is that systems configured to provide only essential capabilities have an inherently smaller attack surface. Why? Because they only have essential ports open, they only have essential software installed, and they have a limited number of services on. As a result an attacker has less avenues of attack. There are less ports, software, and services for the attacker to exploit. Is it easier to attack a web server with only ports 80 (HTTP), and 443 (HTTPS) open or a web server with ports 80, 443, and 21 (FTP) open? Obviously the web server with more open ports is easier to attack.
Least Functionality
Another benefit of the principle of least functionality is that systems with only essential capabilities are easier to maintain. Why? Because they have less software installed, IT staff have less software to patch. Because they have less services on, there is less that can go wrong. A system configured with the principle of least functionality is also easier to troubleshoot.
As Leonardo Da Vinci said, “simplicity is the ultimate sophistication”.

Least Functionality vs. Least Privilege

People new to information security and cybersecurity often confuse “least functionality” with “least privilege”. Least functionality deals with how systems are configured, least privilege deals with providing hat users and programs only the necessary privileges to complete their tasks. Least privilege is determining which user account should have which privileges. This involves assigning administrative rights to some users and not others.

CMMC Least Functionality Requirement

Companies with cybersecurity maturity model certification (CMMC) level two or higher requirements are required to employ the principle of least functionality.
Here is the CMMC least functionality requirement, “CM.2.062 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.“
For more on this CMMC requirement check out our CMMC handbook CMMC handbook

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance