Back

Remove all unnecessary functionality.


CONTROL ID
00882
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Document that all enabled functions support secure configurations., CC ID: 11985
  • Find and eradicate unauthorized world writable files., CC ID: 01541
  • Strip dangerous/unneeded SUID/SGID system executables., CC ID: 01542
  • Find and eradicate unauthorized SUID/SGID system executables., CC ID: 01543
  • Find and eradicate unowned files and unowned directories., CC ID: 01544
  • Disable logon prompts on serial ports., CC ID: 01553
  • Disable "nobody" access for Secure RPC., CC ID: 01554
  • Disable all unnecessary interfaces., CC ID: 04826
  • Remove rhosts support unless absolutely necessary., CC ID: 01555
  • Remove weak authentication services from Pluggable Authentication Modules., CC ID: 01556
  • Remove the /etc/hosts.equiv file., CC ID: 01559
  • Create the /etc/ftpd/ftpusers file., CC ID: 01560
  • Remove the X Wrapper and enable the X Display Manager., CC ID: 01564
  • Remove empty crontab files and restrict file permissions to the file., CC ID: 01571
  • Remove all compilers and assemblers from the system., CC ID: 01594
  • Disable all unnecessary applications unless otherwise noted in a policy exception., CC ID: 04827
  • Configure the "Devices: Allow undock without having to log on" setting., CC ID: 01728
  • Limit the user roles that are allowed to format and eject removable storage media., CC ID: 01729
  • Prevent users from installing printer drivers., CC ID: 01730
  • Minimize the inetd.conf file and set the file to the appropriate permissions., CC ID: 01506
  • Configure the unsigned driver installation behavior., CC ID: 01733
  • Configure the unsigned non-driver installation behavior., CC ID: 02038
  • Remove all demonstration applications on the system., CC ID: 01875
  • Configure the system to disallow optional Subsystems., CC ID: 04265
  • Configure the "Remove Security tab" setting., CC ID: 04380
  • Disable all unnecessary services unless otherwise noted in a policy exception., CC ID: 00880
  • Disable the automatic display of remote images in HTML-formatted e-mail., CC ID: 04494
  • Disable Remote Apply Events unless Remote Apply Events are absolutely necessary., CC ID: 04495
  • Disable Xgrid unless Xgrid is absolutely necessary., CC ID: 04496
  • Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly., CC ID: 05136
  • Disable Core dumps unless absolutely necessary., CC ID: 01507
  • Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly., CC ID: 05137
  • Set the Squid EUID and Squid GUID to an appropriate user and group., CC ID: 05138
  • Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate., CC ID: 05139
  • Use of the cron.allow file should be enabled or disabled as appropriate., CC ID: 06014
  • Use of the at.allow file should be enabled or disabled as appropriate., CC ID: 06015
  • Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate., CC ID: 06039
  • Enable or disable each user's Screen saver software, as necessary., CC ID: 06050
  • Disable any unnecessary scripting languages, as necessary., CC ID: 12137


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should ensure that there is no single point of failure in the systems/infrastructure components (e.g. through proper implementation of high availability server clusters, multiple network connections, redundancy of critical hardware or equipment), nor unnecessary connections or dependency upon le… (§ 9.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • T44: The organization shall minimize the number of connected devices, communication routes, and communications-related devices that can be accessed from external networks. The organization shall not connect unnecessary devices. T44.2: The organization shall securely set up computers that are connect… (T44, T44.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • With security in mind, it is necessary to ensure that unused functions are disabled or limited in usage and that unused software is not installed. (P118.8. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Unnecessary programmes and services: all unnecessary programs should be uninstalled, and all unnecessary services should be disabled. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 9 b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • all unused and prohibited functionality is disabled. (Security Control: 0551; Revision: 7; Bullet 4, Australian Government Information Security Manual, March 2021)
  • Unneeded operating system accounts, software, components, services and functionality are removed or disabled. (Security Control: 0380; Revision: 7, Australian Government Information Security Manual, March 2021)
  • When using a software-based isolation mechanism to share a physical server's hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism. (Security Control: 1604; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Any unrequired functionality in Microsoft Office, web browsers and PDF viewers is disabled. (Security Control: 1470; Revision: 3, Australian Government Information Security Manual, March 2021)
  • all unused and prohibited functionality is disabled. (Control: ISM-0551; Revision: 7; Bullet 4, Australian Government Information Security Manual, June 2023)
  • Unneeded accounts, components, services and functionality of operating systems are disabled or removed. (Control: ISM-0380; Revision: 9, Australian Government Information Security Manual, June 2023)
  • Microsoft Office macros are disabled for users that do not have a demonstrated business requirement. (Control: ISM-1671; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Unneeded accounts, components, services and functionality of server applications are disabled or removed. (Control: ISM-1247; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed. (Control: ISM-1470; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Microsoft Office macros are blocked from making Win32 API calls. (Control: ISM-1673; Revision: 0, Australian Government Information Security Manual, June 2023)
  • If there is no business requirement for writing to removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces. (Control: ISM-0343; Revision: 6, Australian Government Information Security Manual, June 2023)
  • The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an ASDApproved Cryptographic Protocol. (Control: ISM-1712; Revision: 1, Australian Government Information Security Manual, June 2023)
  • When using a software-based isolation mechanism to share a physical server's hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism. (Control: ISM-1604; Revision: 0, Australian Government Information Security Manual, June 2023)
  • auto-registration is disabled and only authorised devices are allowed to access the network (Control: ISM-0551; Revision: 7; Bullet 2, Australian Government Information Security Manual, June 2023)
  • 802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers. (Control: ISM-1321; Revision: 2, Australian Government Information Security Manual, June 2023)
  • TLS compression is disabled for TLS connections. (Control: ISM-1553; Revision: 1, Australian Government Information Security Manual, June 2023)
  • all unused and prohibited functionality is disabled. (Control: ISM-0551; Revision: 7; Bullet 4, Australian Government Information Security Manual, September 2023)
  • Unneeded accounts, components, services and functionality of operating systems are disabled or removed. (Control: ISM-0380; Revision: 9, Australian Government Information Security Manual, September 2023)
  • Microsoft Office macros are disabled for users that do not have a demonstrated business requirement. (Control: ISM-1671; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Unneeded accounts, components, services and functionality of server applications are disabled or removed. (Control: ISM-1247; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed. (Control: ISM-1470; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Microsoft Office macros are blocked from making Win32 API calls. (Control: ISM-1673; Revision: 0, Australian Government Information Security Manual, September 2023)
  • If there is no business requirement for writing to removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces. (Control: ISM-0343; Revision: 6, Australian Government Information Security Manual, September 2023)
  • The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an ASDApproved Cryptographic Protocol. (Control: ISM-1712; Revision: 1, Australian Government Information Security Manual, September 2023)
  • When using a software-based isolation mechanism to share a physical server's hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism. (Control: ISM-1604; Revision: 0, Australian Government Information Security Manual, September 2023)
  • auto-registration is disabled and only authorised devices are allowed to access the network (Control: ISM-0551; Revision: 7; Bullet 2, Australian Government Information Security Manual, September 2023)
  • 802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers. (Control: ISM-1321; Revision: 2, Australian Government Information Security Manual, September 2023)
  • TLS compression is disabled for TLS connections. (Control: ISM-1553; Revision: 1, Australian Government Information Security Manual, September 2023)
  • The organization should disable external interfaces on unclassified or non-sensitive systems that allow direct memory Access, if there is not any business need. (Control: 0344, Australian Government Information Security Manual: Controls)
  • The organization must disable external interfaces on classified or sensitive systems that allow direct memory Access, if there is not any business need. (Control: 0345, Australian Government Information Security Manual: Controls)
  • The organization must develop a hardened Standard Operating Environment for servers and workstations that includes removing unnecessary software, operating system components, and hardware. (Control: 0380 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must develop a hardened Standard Operating Environment for servers and workstations that includes disabling undesired or unused functionality in Operating Systems, software, and hardware. (Control: 0380 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization should implement controls that resolve known vulnerabilities that cannot be patched or a security patch is not available by asking the vendor for an alternate method to manage the vulnerability; disable the functionality that is associated with the vulnerability through product conf… (Control: 0941 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should remove or disable unnecessary Database Management System software features and procedures. (Control: 1247, Australian Government Information Security Manual: Controls)
  • The networking functionality of Database Management System software should be disabled or enabled to listen solely to the localhost interface, if only local access is required. (Control: 1272, Australian Government Information Security Manual: Controls)
  • The organization should disable ad hoc networks on network devices. (Control:1308 Bullet 1, Australian Government Information Security Manual: Controls)
  • Wireless functionality should be disabled on all devices, preferably by a hardware switch, whenever they are connected to a fixed network. (Control: 1336, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony should be configured so that all prohibited and unused functionality is disabled, for unclassified systems. (Control: 0551 Bullet 4, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony must be configured so that all prohibited and unused functionality is disabled, for classified systems. (Control: 0552 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization should disable all protocols, permissions, functions, and features, unless they are required for the business operations. (¶ 26(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • All unnecessary functionality should be removed or disabled to reduce potential vulnerabilities to the system. (§ 3.5.8, Australian Government ICT Security Manual (ACSI 33))
  • The organization should disable all unnecessary system functionality, e.g., Internet Protocol v6, remote desktop, and autorun. (Mitigation Strategy Effectiveness Ranking 25, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should harden the workstation application security configurations (e.g., disabling unnecessary features in Microsoft Office applications, pdf viewers, and web browsers. (Mitigation Strategy Effectiveness Ranking 26, Strategies to Mitigate Targeted Cyber Intrusions)
  • During the installation process, deselect any packages, especially the X11 package, that are not going to be used. This reduces the risk of attackers using known vulnerabilities in unused packages to enter the system. If an upgrade from Mac OS X to Mac OS X 10.4 was performed, an adaptation of Mac O… (Pg 22, Pg 33, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Ensure that unnecessary packages are not installed in the container Description: Containers should have as small a footprint as possible, and should not contain unnecessary software packages which could increase their attack surface. Rationale: Unnecessary software should not be installed into conta… (4.3, The Center for Internet Security Docker Level 1 Docker Linux Benchmark, v 1.2.0)
  • Ensure that unnecessary packages are not installed in the container Description: Containers should have as small a footprint as possible, and should not contain unnecessary software packages which could increase their attack surface. Rationale: Unnecessary software should not be installed into conta… (4.3, The Center for Internet Security Docker Level 2 Docker Linux Benchmark, 1.2.0)
  • QuickFinder, a search engine for finding web data on the server, should be disabled. If it is being used, it should be better secured by using the following settings: AdminServlet.RequireSSL=TRUE; AdminServlet.Authenticate=TRUE; and Security.RequireHTTPS=TRUE. (§ 2.15, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • For a sample of system components, verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed. (§ 2.2.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify the system configuration standards include procedures for removing all unnecessary functionality. (Testing Procedures § 2.2.d Bullet 6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Inspect the configurations of a sample of system components to verify that all unnecessary functionality has been removed. (Testing Procedures § 2.2.5.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must remove all unnecessary functionality. (§ 2.2.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • For a sample of system components, verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed. (§ 2.2.4.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • All unnecessary functionality must be removed from the system. (PCI DSS Requirements § 2.2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. (2.2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. (2.2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. (2.2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Has all unnecessary functionality - such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers - been removed? (2.2.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is only documented functionality present on system components? (2.2.5 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Has all unnecessary functionality - such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers - been removed? (2.2.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Is only documented functionality present on system components? (2.2.5(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Has all unnecessary functionality—such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers—been removed? (2.2.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Is only documented functionality present on system components? (2.2.5 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Has all unnecessary functionality—such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers—been removed? (2.2.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Is only documented functionality present on system components? (2.2.5(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Has all unnecessary functionality—such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers—been removed? (2.2.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Is only documented functionality present on system components? (2.2.5 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Is only documented functionality present on system components? (2.2.5(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Has all unnecessary functionality—such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers—been removed? (2.2.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Has all unnecessary functionality—such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers—been removed? (2.2.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is only documented functionality present on system components? (2.2.5 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is only documented functionality present on system components? (2.2.5(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Has all unnecessary functionality—such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers—been removed? (2.2.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is only documented functionality present on system components? (2.2.5 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Has all unnecessary functionality—such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers—been removed? (2.2.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Has all unnecessary functionality—such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers—been removed? (2.2.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Is only documented functionality present on system components? (2.2.5(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed. (2.2.5.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine the documentation and security parameters to verify enabled functions are documented and support secure configuration. (2.2.5.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine the documentation and security parameters to verify that only documented functionality is present on the sampled system components. (2.2.5.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • All services, daemons, and protocols required by the application or enabled should be examined. The payment application must not use or require the use of unnecessary and insecure services or protocols. (§ 5.4, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled. (2.2.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • All unnecessary functionality is removed or disabled. (2.2.4.b Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Do system configuration standards include removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers? (PCI DSS Question 2.2(d) Bullet 6, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Has all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers, been removed? (PCI DSS Question 2.2.5(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Do system configuration standards include removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers? (PCI DSS Question 2.2(d) Bullet 6, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Has all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers, been removed? (PCI DSS Question 2.2.5(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Has all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers, been removed? (PCI DSS Question 2.2.5(a), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Do system configuration standards include removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers? (PCI DSS Question 2.2(d) Bullet 6, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Has all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers, been removed? (PCI DSS Question 2.2.5(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do system configuration standards include removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers? (PCI DSS Question 2.2(d) Bullet 6, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Has all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers, been removed? (PCI DSS Question 2.2.5(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Merchants should disable any communication capabilities not necessary for the functioning of the payment solution. (¶ 5.5.1, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled. (2.2.4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled. (2.2.4, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled. (2.2.4, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled. (2.2.4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled. (2.2.4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Information contained in databases should be protected by restricting access to, or removing standard menus (e.g., by hiding the standard menus or replacing standard menus with a customized menu to prevent access to developer functions). (CF.13.03.09, The Standard of Good Practice for Information Security)
  • The security of instant messaging applications should be improved by disabling unauthorized features (e.g., saving transcripts, file sharing, video, and audio). (CF.15.02.03a, The Standard of Good Practice for Information Security)
  • Servers should be configured in accordance with documented standards / procedures, which should cover disabling or restricting unnecessary functions or services. (CF.07.02.01b, The Standard of Good Practice for Information Security)
  • Servers should be configured to disable or restrict run commands or command processors (e.g., perl or tcl). (CF.07.02.03f, The Standard of Good Practice for Information Security)
  • External access should be prevented if unauthorized (or when no longer required) by removing or disabling control settings (e.g., software configuration settings). (CF.09.03.10c, The Standard of Good Practice for Information Security)
  • The integrity of information contained in Critical spreadsheets should be assured by restricting access to or removing standard menus (e.g., by hiding the standard menus or replacing standard menus with a customized menu to prevent access to developer functions). (CF.13.02.06d, The Standard of Good Practice for Information Security)
  • Information contained in databases should be protected by restricting access to, or removing standard menus (e.g., by hiding the standard menus or replacing standard menus with a customized menu to prevent access to developer functions). (CF.13.03.09, The Standard of Good Practice for Information Security, 2013)
  • The security of instant messaging applications should be improved by disabling unauthorized features (e.g., saving transcripts, file sharing, video, and audio). (CF.15.02.03a, The Standard of Good Practice for Information Security, 2013)
  • External access should be prevented if unauthorized (or when no longer required) by removing or disabling control settings (e.g., software configuration settings). (CF.09.03.10c, The Standard of Good Practice for Information Security, 2013)
  • The integrity of information contained in Critical spreadsheets should be assured by restricting access to or removing standard menus (e.g., by hiding the standard menus or replacing standard menus with a customized menu to prevent access to developer functions). (CF.13.02.06d, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured to disable or restrict run commands or command processors (e.g., perl or tcl). (CF.07.02.05f, The Standard of Good Practice for Information Security, 2013)
  • Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures. (14.3.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that all unneeded features, documentation, sample applications and configurations are removed. (14.2.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • The organization should uninstall or remove libraries, sample scripts, compilers, components, and other code that is not being used by the application. (Critical Control 6.9, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should turn unneeded services off for 30 days and uninstall them after 30 days. (Critical Control 11.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should keep all services up-to-date and uninstall and remove any unnecessary components. (Critical Control 11.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error check… (CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures, CIS Controls, V8)
  • Any system utilities or other programs that are not necessary should be disabled or removed. (§ 11.5.4, ISO 27002 Code of practice for information security management, 2005)
  • Components are capable of providing a wide variety of functions and services. Some of the functions and services provided may not be necessary to support IACS functionality. Therefore, by default, functions beyond a baseline configuration should be disabled. Additionally, it is sometimes convenient … (11.9.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Components shall provide the capability to specifically restrict the use of unnecessary functions, ports, protocols and/or services. (11.9.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Configures the information system to provide only essential capabilities; and (CM-7a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Configures the information system to provide only essential capabilities; and (CM-7a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Configures the information system to provide only essential capabilities; and (CM-7a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. (SC-7(4)(e), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Configures the information system to provide only essential capabilities; and (CM-7a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. (SC-7(4)(e), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should restrict logical access to master passwords, powerful utilities, system configurations, Superuser functionality, and security devices. (Generally Accepted Privacy Principles and Criteria § 8.2.2 i, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should restrict access to master passwords, powerful utilities, system configurations, Superuser functionality, and security devices. (Table Ref 8.2.2.i, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • For Oracle, the organization must remove the extproc binary from the host ($ORACLE_HOME/bin/extproc) and remove the entry in tnsnames.ora, if extproc functionality is not required. (Table F-9, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 2.1.4: The organization must disable all file system access that is not explicitly required for application, administrator, or system functionality. CSR 10.7.9: The organization must disable all system services, ports, and network protocols that are not explicitly required for application and sy… (CSR 2.1.4, CSR 10.7.9, CSR 10.8.7, CSR 10.8.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • POSIX files should not be installed on the system. If "posix.exe", "psxss.exe", and/or "psxdll.dll" exists, they should be removed from the system. (§ 5.1.2, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • POSIX subsystem components should not be installed on the system. If a search of the system locates the "POSIX.EXE", "PSXSS.EXE", or "PSXDLL.DLL" files, then the components are installed and should be removed. Microsoft Internet Zone Games and MSN Explorer should be removed from the system. (§ 5.1.2, § 5.10.1.1, § 5.10.1.2, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • The agency shall configure applications, Information Systems, and services to provide only the necessary capabilities. (§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall configure the application, service, or information system to provide only essential capabilities and shall specifically prohibit and/or restrict the use of specified functions, ports, protocols, and/or services. (§ 5.7.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall configure the application, service, or information system to provide only essential capabilities and shall specifically prohibit and/or restrict the use of specified functions, ports, protocols, and/or services. (§ 5.7.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The organization should strictly control the use of utility programs. (Pg 57, Exam Obj 10.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Configures the information system to provide only essential capabilities; and (CM-7a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews exceptions to the traffic flow policy [FrdRAMP Assignment: at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions] and removes exceptions that are no longer supported by an explicit mission/business need. (SC-7(4)(e) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews exceptions to the traffic flow policy [FedRAMP Assignment: at least annually] and removes exceptions that are no longer supported by an explicit mission/business need. (SC-7(4)(e) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Configures the information system to provide only essential capabilities; and (CM-7a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Configures the information system to provide only essential capabilities; and (CM-7a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), FedRAMP Security Controls High Baseline, Version 5)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., FedRAMP Security Controls High Baseline, Version 5)
  • Review exceptions to the traffic flow policy [FedRAMP Assignment: at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions] and remove exceptions that are no longer supported by an explicit mission or business need; (SC-7(4)(e), FedRAMP Security Controls High Baseline, Version 5)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., FedRAMP Security Controls Low Baseline, Version 5)
  • Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Review exceptions to the traffic flow policy [FedRAMP Assignment: at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions] and remove exceptions that are no longer supported by an explicit mission or business need; (SC-7(4)(e), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Do the configuration policies and procedures include removing or disabling unnecessary network services and Operating System services? (IT - Networks Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (SC-7(4)(e), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (SC-7(4)(e), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review and remove exceptions that are no longer supported. (SC-7(24) ¶ 1(d), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Organizational records and documents should be examined on a regular basis to ensure all unnecessary functions, ports, protocols, and services have been disabled or removed from the system. Test the system to ensure all identified functions, ports, protocols, and services have been disabled or remov… (CM-7(1), CM-7.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Configures the information system to provide only essential capabilities; and (CM-7a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Configures the information system to provide only essential capabilities; and (CM-7a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Configures the information system to provide only essential capabilities; and (CM-7a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1) ¶ 1(b) Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1) ¶ 1(b) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1) ¶ 1(b) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. (SC-7(4) ¶ 1(e) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. (SC-7(4) ¶ 1(e) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Wireless interfaces, such as Bluetooth, WiFi, and infrared, should be disabled when not needed, and automatic connections to cellular data services should be turned off. If possible, unneeded functions should be removed to prevent them from being reactivated. Another option is to subscribe only to t… (§ 4.1.6, § 4.1.8, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • (§ 5.2, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002)
  • The organization should disable wireless networking capabilities that are embedded inside of smart grid Information System components, when it is not intended for use. (SG.AC-15 Additional Considerations A4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should review the system on an organizationally defined period to identify and restrict any unnecessary protocols, ports, services, and/or functions. (SG.CM-7 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must configure the system to provide only essential capabilities and to specifically prohibit or restrict certain functions, ports, protocols, and services as defined by organizational policy. (App F § CM-7, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System must use processing components that have minimal functionality and information storage. (App F § SC-25, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot use automated mechanisms to prevent a program from executing. (App I § CM-7 Control Enhancement: (2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must remove all unused and unnecessary functions and services from the Industrial Control System. (App I § SI-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization disables {organizationally documented functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure}. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizationally documented information system components} with minimal functionality and information storage. (SC-25 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization disables {organizationally documented functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure}. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization disables {organizationally documented functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure}. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Configures the information system to provide only essential capabilities; and (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. (SC-7(4)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Configures the information system to provide only essential capabilities; and (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Configures the information system to provide only essential capabilities; and (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. (SC-7(4)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Configures the information system to provide only essential capabilities; and (CM-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage. (SC-25 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. (SC-7(4)(e), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]. (SC-25 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (SC-7(4)(e), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and remove exceptions that are no longer supported. (SC-7(24) ¶ 1(d), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]. (SC-25 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (SC-7(4)(e), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and (CM-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Review and remove exceptions that are no longer supported. (SC-7(24) ¶ 1(d), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Configures the information system to provide only essential capabilities; and (CM-7a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Configures the information system to provide only essential capabilities; and (CM-7a., TX-RAMP Security Controls Baseline Level 1)
  • Configures the information system to provide only essential capabilities; and (CM-7a., TX-RAMP Security Controls Baseline Level 2)
  • Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. (CM-7(1)(b), TX-RAMP Security Controls Baseline Level 2)
  • Reviews exceptions to the traffic flow policy [TX-RAMP Assignment: at least annually] and removes exceptions that are no longer supported by an explicit mission/business need. (SC-7(4)(e), TX-RAMP Security Controls Baseline Level 2)