Skip to main content

CFG-03: Least Functionality

CFG 10 — Critical Protect

Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.

Control Question: Does the organization configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services?

General (51)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC5.2-POF3 CC6.1-POF7 CC6.7-POF1
CIS CSC 8.1 4 4.6 4.8
CIS CSC 8.1 IG2 4.8
CIS CSC 8.1 IG3 4.8
CSA CCM 4 AIS-02 UEM-02
GovRAMP Low CM-07
GovRAMP Low+ CM-07
GovRAMP Moderate CM-07
GovRAMP High CM-07
IEC 62443-4-2 2019 CR 2.2 (6.4.1) CR 7.7 (11.9.1)
IMO Maritime Cyber Risk Management 3.5.3.3
ISO 27002 2022 8.3 8.9 8.12
ISO 27017 2015 9.4.1
MITRE ATT&CK 10 T1003, T1003.001, T1003.002, T1003.005, T1008, T1011, T1011.001, T1021.001, T1021.002, T1021.003, T1021.005, T1021.006, T1036, T1036.005, T1036.007, T1037, T1037.001, T1046, T1047, T1048, T1048.001, T1048.002, T1048.003, T1052, T1052.001, T1053, T1053.002, T1053.005, T1059, T1059.005, T1059.007, T1068, T1071, T1071.001, T1071.002, T1071.003, T1071.004, T1072, T1080, T1087, T1087.001, T1087.002, T1090, T1090.001, T1090.002, T1090.003, T1092, T1095, T1098, T1098.001, T1098.004, T1102, T1102.001, T1102.002, T1102.003, T1104, T1105, T1106, T1112, T1127, T1129, T1133, T1135, T1136, T1136.002, T1136.003, T1176, T1187, T1190, T1195, T1195.001, T1195.002, T1197, T1199, T1204, T1204.001, T1204.002, T1204.003, T1205, T1205.001, T1210, T1213, T1213.001, T1213.002, T1216, T1216.001, T1218, T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.012, T1218.013, T1218.014, T1219, T1220, T1221, T1482, T1484, T1489, T1490, T1498, T1498.001, T1498.002, T1499, T1499.001, T1499.002, T1499.003, T1499.004, T1505.004, T1525, T1530, T1537, T1542.004, T1542.005, T1543, T1546.002, T1546.006, T1546.008, T1546.009, T1546.010, T1547.004, T1547.006, T1547.007, T1547.011, T1548, T1548.001, T1548.003, T1548.004, T1552, T1552.003, T1552.005, T1552.007, T1553, T1553.001, T1553.003, T1553.004, T1553.005, T1553.006, T1555.004, T1556, T1556.002, T1557, T1557.001, T1557.002, T1559, T1559.002, T1562, T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.009, T1563, T1563.001, T1563.002, T1564.002, T1564.003, T1564.006, T1564.008, T1564.009, T1565, T1565.003, T1569, T1569.002, T1570, T1571, T1572, T1573, T1573.001, T1573.002, T1574, T1574.001, T1574.006, T1574.007, T1574.008, T1574.009, T1574.012, T1599, T1599.001, T1601, T1601.001, T1601.002, T1602, T1602.001, T1602.002, T1609, T1610, T1611, T1612, T1613
MPA Content Security Program 5.1 TS-1.1 TS-2.3
NIST Privacy Framework 1.0 PR.PT-P2
NIST 800-53 R4 CM-7
NIST 800-53 R4 (low) CM-7
NIST 800-53 R4 (moderate) CM-7
NIST 800-53 R4 (high) CM-7
NIST 800-53 R5 (source) CM-7
NIST 800-53B R5 (low) (source) CM-7
NIST 800-53B R5 (moderate) (source) CM-7
NIST 800-53B R5 (high) (source) CM-7
NIST 800-82 R3 LOW OT Overlay CM-7
NIST 800-82 R3 MODERATE OT Overlay CM-7
NIST 800-82 R3 HIGH OT Overlay CM-7
NIST 800-161 R1 CM-7
NIST 800-161 R1 C-SCRM Baseline CM-7
NIST 800-161 R1 Flow Down CM-7
NIST 800-161 R1 Level 3 CM-7
NIST 800-171 R2 (source) 3.4.6
NIST 800-171A (source) 3.4.6[a] 3.4.6[b]
NIST 800-171 R3 (source) 03.04.02.a 03.04.06.a 03.04.06.b 03.04.06.d 03.04.08.a
NIST 800-171A R3 (source) A.03.04.02.ODP[01] A.03.04.06.d
NIST CSF 2.0 (source) PR.PS-05
OWASP Top 10 2021 A05:2021
PCI DSS 4.0.1 (source) 1.2.5 1.2.6 1.4 1.4.1 1.4.2 2.2.4
PCI DSS 4.0.1 SAQ A-EP (source) 1.2.5 1.2.6 1.4.1 1.4.2 2.2.4
PCI DSS 4.0.1 SAQ B-IP (source) 1.2.5 1.2.6 1.4.2
PCI DSS 4.0.1 SAQ C (source) 2.2.4
PCI DSS 4.0.1 SAQ C-VT (source) 2.2.4
PCI DSS 4.0.1 SAQ D Merchant (source) 1.2.5 1.2.6 1.4.1 1.4.2 2.2.4
PCI DSS 4.0.1 SAQ D Service Provider (source) 1.2.5 1.2.6 1.4.1 1.4.2 2.2.4
SPARTA CM0047
SWIFT CSF 2023 2.10
SCF CORE Fundamentals CFG-03
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) CFG-03
SCF CORE ESP Level 1 Foundational CFG-03
SCF CORE ESP Level 2 Critical Infrastructure CFG-03
SCF CORE ESP Level 3 Advanced Threats CFG-03
US (32)
Framework Mapping Values
US C2M2 2.1 ARCHITECTURE-2.E.MIL2 ARCHITECTURE-3.D.MIL2
US CERT RMM 1.2 TM:SG2.SP1 TM:SG2.SP2
US CISA CPG 2022 2.W
US CJIS Security Policy 5.9.3 (source) 5.7.1.1
US CMMC 2.0 Level 2 (source) CM.L2-3.4.6
US CMMC 2.0 Level 3 (source) CM.L2-3.4.6
US CMS MARS-E 2.0 CM-7
US DHS ZTCF APP-01
US FedRAMP R4 CM-7
US FedRAMP R4 (low) CM-7
US FedRAMP R4 (moderate) CM-7
US FedRAMP R4 (high) CM-7
US FedRAMP R4 (LI-SaaS) CM-7
US FedRAMP R5 (source) CM-7
US FedRAMP R5 (low) (source) CM-7
US FedRAMP R5 (moderate) (source) CM-7
US FedRAMP R5 (high) (source) CM-7
US FedRAMP R5 (LI-SaaS) (source) CM-7
US FFIEC D3.PC.Am.B.7 D3.PC.Am.B.4 D3.PC.Am.B.3 D4.RM.Om.Int.1
US HIPAA HICP Small Practice 1.S.A 6.S.A 6.S.B
US HIPAA HICP Medium Practice 1.M.A
US HIPAA HICP Large Practice 1.M.A
US IRS 1075 CM-7
US NERC CIP 2024 (source) CIP-007-6 1.1
US NNPI (unclass) 1.2
US NSTC NSPM-33 6.3
US SSA EIESR 8.0 5.3
US - CA CCPA 2025 7123(c)(11)
US - MA 201 CMR 17.00 17.03(2)(a) 17.03(2)(g)
US - TX DIR Control Standards 2.0 CM-7
US - TX TX-RAMP Level 1 CM-7
US - TX TX-RAMP Level 2 CM-7
EMEA (7)
Framework Mapping Values
EMEA EU NIS2 Annex 6.7.2(f)
EMEA Israel CDMO 1.0 4.8 4.9 12.9 12.13
EMEA Saudi Arabia ECC-1 2018 2-5-3-5
EMEA Saudi Arabia OTCC-1 2022 2-2-1-5 2-3-1-4
EMEA Spain BOE-A-2022-7191 20(a) 20(b) 20(c) 20(d)
EMEA Spain 311/2022 20(a) 20(b) 20(c) 20(d)
EMEA UK DEFSTAN 05-138 2204 2430 2507
APAC (4)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0385 ISM-1006 ISM-1311 ISM-1312 ISM-1392 ISM-1479 ISM-1487 ISM-1488 ISM-1489 ISM-1621
APAC India SEBI CSCRF PR.IP.S1
APAC Japan ISMAP 9.4.1 9.4.1.8.PB
APAC New Zealand NZISM 3.6 18.1.15.C.01 18.1.15.C.02 18.1.15.C.03 18.1.15.C.04
Americas (2)
Framework Mapping Values
Americas Canada OSFI B-13 3.2.8
Americas Canada ITSP-10-171 03.04.02.A 03.04.06.A 03.04.06.B 03.04.06.D 03.04.08.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/ or services.

Level 1 — Performed Informally

Configuration Management (CFG) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Standardized across the organization. o Consistently aligned with industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).

  • IT personnel use an informal process to design, build and maintain secure configurations for test, development, staging and production environments.
  • Secure configurations are not:
Level 2 — Planned & Tracked

Configuration Management (CFG) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Configuration management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for configuration management.
  • Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
  • Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
  • Apart from workstation and server operating system baselines, configuration management is decentralized.
  • Cybersecurity personnel use a structured process to design, build and maintain secure configurations for test, development, staging and production environments.
  • Deviations to baseline configurations are required to have a risk assessment and the business process owner acceptance of the risk(s) associated with the deviation.
  • Unauthorized configuration changes are investigated to determine if the unauthorized configuration is malicious in nature.
  • Logical Access Control (LAC) is enforced to prohibit non-administrative users from being able to install unauthorized software.
  • Administrative processes exist to prevent unauthorized access by limiting and reviewing permissions to change hardware, software and firmware components within a production/operational environment
Level 3 — Well Defined

Configuration Management (CFG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • The configuration management function is formally assigned with defined roles and responsibilities.
  • An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
  • Configuration management is centralized for all operating systems, applications, servers and other configurable technologies.
  • Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including test, development, staging and production environments.
  • Configurations conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments.
  • Deviations to baseline configurations are required to have a risk assessment and business process owner approval of the risk(s) associated with the deviation.
  • Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
  • An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
  • Logical Access Control (LAC) is used to limit the ability of non-administrators from making configuration changes to systems, applications and services, including the of installation of unauthorized software.
  • A Security Incident Event Manager (SIEM), or similar automated tool, monitors for unauthorized activities, accounts, connections, devices and software.
  • Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.
  • Administrative processes exist to prevent unauthorized access by limiting and reviewing permissions to change hardware, software and firmware components within a production/operational environment.
Level 4 — Quantitatively Controlled

Configuration Management (CFG) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

Configuration Management (CFG) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
  • Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

  1. CFG-03_A01 configuration settings for the system that reflect the most restrictive mode consistent with operational requirements are defined (e.g., principle of least functionality).
  2. CFG-03_A02 systems are configured to provide only the defined essential capabilities, where unnecessary or nonsecure functions, ports, protocols, connections, and services are disabled or removed.
  3. CFG-03_A03 functions to be prohibited or restricted are defined.
  4. CFG-03_A04 ports to be prohibited or restricted are defined.
  5. CFG-03_A05 protocols to be prohibited or restricted are defined.
  6. CFG-03_A06 software to be prohibited or restricted is defined.
  7. CFG-03_A07 services to be prohibited or restricted are defined.
  8. CFG-03_A08 the use of organization-defined functions is prohibited or restricted.
  9. CFG-03_A09 the use of organization-defined ports is prohibited or restricted.
  10. CFG-03_A10 the use of organization-defined protocols is prohibited or restricted.
  11. CFG-03_A11 the use of organization-defined software is prohibited or restricted.
  12. CFG-03_A12 the use of organization-defined services is prohibited or restricted.
  13. CFG-03_A13 configuration settings for the system reflect the most restrictive mode consistent with operational requirements are defined.
  14. CFG-03_A14 unnecessary or nonsecure functions, ports, protocols, connections, and services are disabled or removed.

Evidence Requirements

E-AST-12 Secure Baseline Configurations Reviews

Documented evidence of a review process to ensure Secure Baseline Configurations (SBC) are current and applicable (e.g., system configuration settings and associated documentation).

Asset Management
E-AST-13 Secure Baseline Configurations - Cloud-Based Services

Documented evidence of secure baseline configurations for all deployed types of cloud-based services or applications.

Asset Management
E-AST-14 Secure Baseline Configurations - Databases

Documented evidence of secure baseline configurations for all deployed types of databases.

Asset Management
E-AST-15 Secure Baseline Configurations - Embedded Technologies

Documented evidence of secure baseline configurations for all deployed types of embedded technologies.

Asset Management
E-AST-16 Secure Baseline Configurations - Major Applications

Documented evidence of secure baseline configurations for all deployed types of major applications.

Asset Management
E-AST-17 Secure Baseline Configurations - Minor Applications

Documented evidence of secure baseline configurations for all deployed types of minor applications.

Asset Management
E-AST-18 Secure Baseline Configurations - Mobile Devices

Documented evidence of secure baseline configurations for all deployed types of mobile devices.

Asset Management
E-AST-19 Secure Baseline Configurations - Network Devices

Documented evidence of secure baseline configurations for all deployed types of network devices.

Asset Management
E-AST-20 Secure Baseline Configurations - Server Class Systems

Documented evidence of secure baseline configurations for all deployed types of server-class operating systems.

Asset Management
E-AST-21 Secure Baseline Configurations - Workstation Class Systems

Documented evidence of secure baseline configurations for all deployed types of workstation-class operating systems.

Asset Management

Technology Recommendations

Micro/Small

  • Secure Baseline Configurations (SBC)
  • Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
  • Center for Internet Security (CIS) Benchmarks
  • Original Equipment Manufacturer (OEM) security guides

Small

  • Secure Baseline Configurations (SBC)
  • Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
  • Center for Internet Security (CIS) Benchmarks
  • Original Equipment Manufacturer (OEM) security guides

Medium

  • Secure Baseline Configurations (SBC)
  • Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
  • Center for Internet Security (CIS) Benchmarks
  • Original Equipment Manufacturer (OEM) security guides

Large

  • Secure Baseline Configurations (SBC)
  • Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
  • Center for Internet Security (CIS) Benchmarks
  • Original Equipment Manufacturer (OEM) security guides

Enterprise

  • Secure Baseline Configurations (SBC)
  • Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
  • Center for Internet Security (CIS) Benchmarks
  • Original Equipment Manufacturer (OEM) security guides

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free