Skip to main content

💼 CM-7 Least Functionality

  • ID: /frameworks/nist-sp-800-53-r5/cm/07

Description

a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

Similar

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/ec2/19
    • /frameworks/aws-fsbp-v1.0.0/ec2/21
    • /frameworks/aws-fsbp-v1.0.0/transfer-family/02
  • Internal
    • ID: dec-c-cc3ad3f4

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.19] Security groups should not allow unrestricted access to ports with high risk10no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 33891no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connectionno data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 FedRAMP High Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)31833no data
💼 FedRAMP Low Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)29no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CM-7(1) Least Functionality _ Periodic Reviewno data
💼 CM-7(2) Least Functionality _ Prevent Program Executionno data
💼 CM-7(3) Least Functionality _ Registration Complianceno data
💼 CM-7(4) Least Functionality _ Unauthorized Software — Deny-by-exceptionno data
💼 CM-7(5) Least Functionality _ Authorized Software — Allow-by-exceptionno data
💼 CM-7(6) Least Functionality _ Confined Environments with Limited Privilegesno data
💼 CM-7(7) Least Functionality _ Code Execution in Protected Environmentsno data
💼 CM-7(8) Least Functionality _ Binary or Machine Executable Codeno data
💼 CM-7(9) Least Functionality _ Prohibiting The Use of Unauthorized Hardwareno data

Policies (23)

PolicyLogic CountFlagsCompliance
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted Telnet traffic🟢1🟢 x6no data
🛡️ AWS VPC Network ACL exposes admin ports to public internet ports🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC is not enabled🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1🟢1🟢 x6no data
🛡️ Google Cloud MySQL Instance Local_infile Database Flag is not set to off🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance external scripts enabled Database Flag is not set to off🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance remote access Database Flag is not set to off🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance user options Database Flag is configured🟢1🟢 x6no data
🛡️ Google GCE Instance Enable Connecting to Serial Ports is not disabled🟢1🟢 x6no data
🛡️ Google Project has a default network🟢1🟢 x6no data
🛡️ Google Project has a legacy network🟢1🟢 x6no data