Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

cm-7

least functionality  

assessment objective:

Determine if the organization:

cm-7(a)

configures the information system to provide only essential capabilities;

cm-7(b)

cm-7(b)[1]

defines prohibited or restricted:

cm-7(b)[1][a]

functions;

cm-7(b)[1][b]

ports;

cm-7(b)[1][c]

protocols; and/or

cm-7(b)[1][d]

services;

cm-7(b)[2]

prohibits or restricts the use of organization-defined:

cm-7(b)[2][a]

functions;

cm-7(b)[2][b]

ports;

cm-7(b)[2][c]

protocols; and/or

cm-7(b)[2][d]

services.

potential assessment methods and objects:

Examine: [select from: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Interview: [select from: Organizational personnel with security configuration management responsibilities; organizational personnel with information security responsibilities; system/network administrators].

Test: [select from: Organizational processes prohibiting or restricting functions, ports, protocols, and/or services; automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and/or services].