💼 CM-7 Least Functionality (L)(M)(H)

• ID: /frameworks/fedramp-moderate-security-controls/cm/07

Description

a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and

b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

CM-7 Additional FedRAMP Requirements and Guidance:

(b) Requirement: The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

Similar

• Sections
  • /frameworks/fedramp-high-security-controls/cm/07
• Internal
  • ID: dec-c-ff33d573

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 FedRAMP High Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3	18	33		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CM-7(1) Periodic Review (M)(H)			12		no data
💼 CM-7(2) Prevent Program Execution (M)(H)					no data
💼 CM-7(5) Authorized Software — Allow-by-exception (M)(H)					no data

Policies (29)

Policy	Logic Count	Flags	Compliance
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted Telnet traffic🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance Auto Minor Version Upgrade is not enabled🟠🟢	1	🟠 x1, 🟢 x6	no data
🛡️ AWS VPC Network ACL exposes admin ports to public internet ports🟢	1	🟢 x6	no data
🛡️ Azure App Service does not run the latest Java version🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Azure App Service does not run the latest PHP version🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Azure App Service does not run the latest Python version🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Azure Network Security Group allows public access to RDP port🟢	1	🟢 x6	no data
🛡️ Azure Network Security Group allows public access to SSH port🟢	1	🟢 x6	no data
🛡️ Google Cloud DNS Managed Zone DNSSEC is not enabled🟢	1	🟢 x6	no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1🟢	1	🟢 x6	no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1🟢	1	🟢 x6	no data
🛡️ Google Cloud MySQL Instance Local_infile Database Flag is not set to off🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance external scripts enabled Database Flag is not set to off🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance remote access Database Flag is not set to off🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance user options Database Flag is configured🟢	1	🟢 x6	no data
🛡️ Google GCE Instance Enable Connecting to Serial Ports is not disabled🟢	1	🟢 x6	no data
🛡️ Google Project has a default network🟢	1	🟢 x6	no data
🛡️ Google Project has a legacy network🟢	1	🟢 x6	no data