Back

Establish, implement, and maintain whitelists and blacklists of software.


CONTROL ID
11780
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain information flow control policies inside the system and between interconnected systems., CC ID: 01410

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Security measures, such as application white-listing, should be implemented to ensure only authorised software is allowed to be installed on the FI's systems. (§ 11.3.6, Technology Risk Management Guidelines, January 2021)
  • Assess the applications that users can install and establish a policy for the use and tracking of the organisation's portable computing devices and removable storage media. (Annex A1: Portable Computing & Removable Storage Media Security 46, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Microsoft's 'recommended block rules' are implemented. (Control: ISM-1544; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Microsoft's 'recommended driver block rules' are implemented. (Control: ISM-1659; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Application control is implemented on internet-facing servers. (Control: ISM-1490; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Add-ons, extensions and plug-ins for office productivity suites, web browsers, email clients, PDF software and security products are restricted to an organisation-approved set. (Control: ISM-1235; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Application control is implemented on workstations. (Control: ISM-0843; Revision: 9, Australian Government Information Security Manual, June 2023)
  • Application control is implemented on non-internet-facing servers. (Control: ISM-1656; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Microsoft's 'recommended block rules' are implemented. (Control: ISM-1544; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Microsoft's 'recommended driver block rules' are implemented. (Control: ISM-1659; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Application control is implemented on internet-facing servers. (Control: ISM-1490; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Add-ons, extensions and plug-ins for office productivity suites, web browsers, email clients, PDF software and security products are restricted to an organisation-approved set. (Control: ISM-1235; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Application control is implemented on workstations. (Control: ISM-0843; Revision: 9, Australian Government Information Security Manual, September 2023)
  • Application control is implemented on non-internet-facing servers. (Control: ISM-1656; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients. (Control: ISM-1871; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients. (Control: ISM-1870; Revision: 0, Australian Government Information Security Manual, September 2023)
  • The organization must implement application whitelists for workstations and servers. (Control: 0843, Australian Government Information Security Manual: Controls)
  • The organization must ensure application whitelists do not replace antivirus software and Internet security software. (Control: 0847, Australian Government Information Security Manual: Controls)
  • The organization must ensure System Administrators are not exempt from application whitelists. (Control: 0848, Australian Government Information Security Manual: Controls)
  • The organization should plan and test the application whitelists thoroughly before implementing them. (Control: 0851, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony should be configured so that only a whitelist of authorized devices are allowed to Access the network, for unclassified systems. (Control: 0551 Bullet 2, Australian Government Information Security Manual: Controls)
  • Internet Protocol telephony must be configured so that only a whitelist of authorized devices are allowed to Access the network, for classified systems. (Control: 0552 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization should use a whitelist to restrict client-side active content, such as ActiveX and Java. (Control: 0961, Australian Government Information Security Manual: Controls)
  • An APRA-regulated entity would typically introduce processes to identify and classify end-user developed/configured software and assess risk exposures. In APRA's view, any information software asset that is critical to achieving the objectives of the business or that processes sensitive data would c… (58., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A regulated institution would normally introduce processes to identify the existence of end-user developed/configured software and assess its risk exposure. In APRA's view, any IT software asset that is critical to achieving the objectives of the business, or processes sensitive data/information, wo… (¶ 60, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Application whitelisting (Continue to Q 41-43) (Malware protection Question 36(b), Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Does the organisation maintain a list of approved applications (Malware protection Question 42, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from. (12.6.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system. The whitelist may be very extensive (as is available from commercial whitelist vendors), so that users are not inconvenie… (Control 2.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should use application whitelists to manage and control software configuration changes. (Critical Control 3.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. (CIS Control 2: Sub-Control 2.7 Utilize Application Whitelisting, CIS Controls, 7.1)
  • The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process. (CIS Control 2: Sub-Control 2.8 Implement Application Whitelisting of Libraries, CIS Controls, 7.1)
  • Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. (CIS Control 2: Sub-Control 2.7 Utilize Application Whitelisting, CIS Controls, V7)
  • The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process. (CIS Control 2: Sub-Control 2.8 Implement Application Whitelisting of Libraries, CIS Controls, V7)
  • Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. (CIS Control 2: Safeguard 2.5 Allowlist Authorized Software, CIS Controls, V8)
  • Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. (CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries, CIS Controls, V8)
  • The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5)(c), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (CM-7(5)(a), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5)(c), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (CM-7(5)(a), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • prevent the use of unauthorized software through the use of application whitelists; (Information Security Program Bullet 3 Deployment of Protective Measures Against the Identified Threats and Vulnerabilities ¶ 1 Sub-bullet 6, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Application whitelisting; or (Attachment 1 Section 1. 1.4. Bullet 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Review of application whitelisting used by the party; (Attachment 1 Section 2. 2.2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Introduction of Malicious Code Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the introduction of malicious code (per Transient Cyber Asset capability): - Antivirus software, including manual or managed updates of signatures or patterns; - Applic… (Section 1. 1.4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Introduction of malicious code mitigation: Use one or a combination of the following methods to achieve the objective of mitigating malicious code (per Transient Cyber Asset capability): - Review of antivirus update level; - Review of antivirus update process used by the party; - Review of applicati… (Section 2. 2.2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Application whitelisting; or (Attachment 1 Section 1. 1.4. Bullet 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Review of application whitelisting used by the party; (Attachment 1 Section 2. 2.2 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Review of application whitelisting used by the party; (Attachment 1 Section 5. 5.2 5.2.1 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Application whitelisting; or (Attachment 1 Section 5. 5.1 Bullet 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. (CM.3.069, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Employ application whitelisting and an application vetting process for systems identified by the organization. (CM.4.073, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. (CM.3.069, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. (CM.3.069, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Employ application whitelisting and an application vetting process for systems identified by the organization. (CM.4.073, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. (CM.L2-3.4.8 Application Execution Policy, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The DoD DMZ Whitelist implementation supports USCYBERCOM's TASKORD 12-0371 and subsequent FRAGOs which support the operation of the DoD DMZ program. In the event the Mission Owners Cloud based systems/applications requires traffic to traverse the DISN IAPs, the systems/applications URLs/IP addresses… (Section 5.17.2 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Register the service/application with the DoD DMZ Whitelist for both inbound and outbound traffic if traffic will cross the IAPs. See section 5.17.2 DoD DMZ Whitelist for more information. (Section 5.10.5 ¶ 1 Bullet 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Register the Mission Owner's system/service/application with the DoD whitelist for both inbound and outbound traffic if traffic will cross the IAPs. . See section 5.17.2 DoD DMZ Whitelist for more information. (Section 5.10.6 ¶ 1 Bullet 19, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Implements adequate security and restrictions over the use of public APIs to protect sensitive customer and entity data and performs appropriate testing to verify the adequacy of security controls over a third party's APIs. (App A Objective 13:6i Bullet 9, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (CM-7(5)(a) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews and updates the list of authorized software programs [FedRAMP Assignment: at least quarterly or when there is a change]. (CM-7(5)(c) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews and updates the list of authorized software programs [FedRAMP Assignment: at least Annually or when there is a change]. (CM-7(5)(c) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (CM-7(5)(a) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Identify [Assignment: organization-defined software programs authorized to execute on the system]; (CM-7(5)(a), FedRAMP Security Controls High Baseline, Version 5)
  • Review and update the list of authorized software programs [FedRAMP Assignment: at least quarterly or when there is a change]. (CM-7(5)(c), FedRAMP Security Controls High Baseline, Version 5)
  • Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Identify [Assignment: organization-defined software programs authorized to execute on the system]; (CM-7(5)(a), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Review and update the list of authorized software programs [FedRAMP Assignment: at least quarterly or when there is a change]. (CM-7(5)(c), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Identify [Assignment: organization-defined software programs authorized to execute on the system]; (CM-7(5)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review and update the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5)(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review and update the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5)(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Identify [Assignment: organization-defined software programs authorized to execute on the system]; (CM-7(5)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and (CM-7(4)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Identify [Assignment: organization-defined software programs not authorized to execute on the system]; (CM-7(4)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and (CM-7(4)(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Review and update the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5)(c), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Identify [Assignment: organization-defined software programs not authorized to execute on the system]; (CM-7(4)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Identify [Assignment: organization-defined software programs authorized to execute on the system]; (CM-7(5)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (CM-7(5) ¶ 1(a) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (CM-7(5) ¶ 1(a) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5) ¶ 1(c) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5) ¶ 1(c) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Capability to centrally control exactly what images and registries are trusted in their environment; (4.1.5 ¶ 2 Bullet 1, NIST SP 800-190, Application Container Security Guide)
  • Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny- all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. (3.4.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. (3.4.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. (3.4.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should develop and maintain an organization-defined list of software programs that are not authorized to execute. (App F § CM-2(4)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should develop and maintain an organization-defined list of software programs that are authorized to execute. (App F § CM-2(5)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use an allow-all, deny-by-exception authorization policy for identifying allowed software. (App F § CM-2(4)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use a deny-all, permit-by-exception authorization policy for identifying allowed software. (App F § CM-2(5)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use automated mechanisms to prevent program execution in accordance with the authorized software program list, the unauthorized software program list, and/or the rules for software program usage. (App F § CM-7(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system prevents program execution in accordance with {organizationally documented policies regarding software program usage and restrictions}; rules authorizing the terms and conditions of software program usage]. (CM-7(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization identifies {organizationally documented software programs not authorized to execute on the information system}. (CM-7(4)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization identifies {organizationally documented software programs authorized to execute on the information system}. (CM-7(5)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system prevents program execution in accordance with {organizationally documented policies regarding software program usage and restrictions}; rules authorizing the terms and conditions of software program usage]. (CM-7(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies {organizationally documented software programs not authorized to execute on the information system}. (CM-7(4)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies {organizationally documented software programs authorized to execute on the information system}. (CM-7(5)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system prevents program execution in accordance with {organizationally documented policies regarding software program usage and restrictions}; rules authorizing the terms and conditions of software program usage]. (CM-7(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies {organizationally documented software programs not authorized to execute on the information system}. (CM-7(4)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (CM-7(5)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and (CM-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Identifies [Assignment: organization-defined software programs not authorized to execute on the information system]; (CM-7(4)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (CM-7(5)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and (CM-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Identifies [Assignment: organization-defined software programs not authorized to execute on the information system]; (CM-7(4)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and (CM-7(4)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and update the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5)(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify [Assignment: organization-defined software programs not authorized to execute on the system]; (CM-7(4)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify [Assignment: organization-defined software programs authorized to execute on the system]; (CM-7(5)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and (CM-7(4)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Review and update the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5)(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Identify [Assignment: organization-defined software programs not authorized to execute on the system]; (CM-7(4)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Identify [Assignment: organization-defined software programs authorized to execute on the system]; (CM-7(5)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Identifies [Assignment: organization-defined software programs not authorized to execute on the information system]; (CM-7(4) ¶ 1(a), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and (CM-7(4) ¶ 1(b), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (CM-7(5) ¶ 1(a), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]. (CM-7(5) ¶ 1(c), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. (CM-7(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (CM-7(5)(a), TX-RAMP Security Controls Baseline Level 2)
  • Reviews and updates the list of authorized software programs [TX-RAMP Assignment: at least Annually or when there is a change]. (CM-7(5)(c), TX-RAMP Security Controls Baseline Level 2)