CFG-03.3: Explicitly Allow / Deny Applications
Mechanisms exist to explicitly allow (allowlist / whitelist) and/or block (denylist / blacklist) applications that are authorized to execute on systems.
Control Question: Does the organization explicitly allow (allowlist / whitelist) and/or block (denylist / blacklist) applications that are authorized to execute on systems?
General (29)
| Framework | Mapping Values |
|---|---|
| CIS CSC 8.1 | 2.3 2.5 2.6 2.7 |
| CIS CSC 8.1 IG1 | 2.3 |
| CIS CSC 8.1 IG2 | 2.3 2.5 2.6 |
| CIS CSC 8.1 IG3 | 2.3 2.5 2.6 2.7 |
| CSA CCM 4 | UEM-02 |
| CSA IoT SCF 2 | CLS-02 |
| GovRAMP Moderate | CM-07(05) |
| GovRAMP High | CM-07(05) |
| NIST 800-53 R4 | CM-7(4) CM-7(5) SC-18(4) |
| NIST 800-53 R4 (moderate) | CM-7(4) |
| NIST 800-53 R4 (high) | CM-7(5) |
| NIST 800-53 R5 (source) | CM-7(4) CM-7(5) SC-18(4) |
| NIST 800-53B R5 (moderate) (source) | CM-7(5) |
| NIST 800-53B R5 (high) (source) | CM-7(5) |
| NIST 800-53 R5 (NOC) (source) | CM-7(4) SC-18(4) |
| NIST 800-82 R3 MODERATE OT Overlay | CM-7(5) |
| NIST 800-82 R3 HIGH OT Overlay | CM-7(5) |
| NIST 800-161 R1 | CM-7(4) CM-7(5) |
| NIST 800-161 R1 Level 2 | CM-7(4) |
| NIST 800-161 R1 Level 3 | CM-7(4) CM-7(5) |
| NIST 800-171 R2 (source) | 3.4.8 |
| NIST 800-171A (source) | 3.4.8[a] 3.4.8[b] 3.4.8[c] |
| NIST 800-171 R3 (source) | 03.04.08.a 03.04.08.b 03.13.13.a 03.13.13.b |
| NIST 800-171A R3 (source) | A.03.04.08.ODP[01] A.03.04.08.a A.03.04.08.b A.03.13.13.b[03] |
| SPARTA | CM0047 CM0069 |
| UL 2900-1 2017 | 8.5 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | CFG-03.3 |
| SCF CORE ESP Level 2 Critical Infrastructure | CFG-03.3 |
| SCF CORE ESP Level 3 Advanced Threats | CFG-03.3 |
US (16)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ARCHITECTURE-3.M.MIL3 |
| US CMMC 2.0 Level 2 (source) | CM.L2-3.4.8 |
| US CMMC 2.0 Level 3 (source) | CM.L2-3.4.8 |
| US CMS MARS-E 2.0 | CM-7(4) |
| US DHS ZTCF | APP-01 |
| US FedRAMP R4 | CM-7(5) |
| US FedRAMP R4 (moderate) | CM-7(5) |
| US FedRAMP R4 (high) | CM-7(5) |
| US FedRAMP R5 (source) | CM-7(5) |
| US FedRAMP R5 (moderate) (source) | CM-7(5) |
| US FedRAMP R5 (high) (source) | CM-7(5) |
| US HIPAA HICP Medium Practice | 9.M.B |
| US HIPAA HICP Large Practice | 9.M.B 2.L.E |
| US IRS 1075 | CM-7(5) |
| US - CA CCPA 2025 | 7123(c)(4)(B) |
| US - TX TX-RAMP Level 2 | CM-7(5) |
EMEA (7)
| Framework | Mapping Values |
|---|---|
| EMEA Germany C5 2020 | AM-02 |
| EMEA Israel CDMO 1.0 | 6.7 |
| EMEA Saudi Arabia CSCC-1 2019 | 2-3-1-1 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 2-14-2 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-3-1-6 |
| EMEA UK Cyber Essentials | 4 |
| EMEA UK DEFSTAN 05-138 | 2409 |
APAC (4)
| Framework | Mapping Values |
|---|---|
| APAC Australia Essential 8 | ML1-P5 ML2-P5 ML3-P5 |
| APAC Australia ISM June 2024 | ISM-0843 ISM-0846 ISM-1235 ISM-1544 |
| APAC New Zealand NZISM 3.6 | 14.2.4.C.01 14.2.5.C.01 14.2.5.C.02 14.2.5.C.03 14.2.5.C.04 14.2.6.C.01 14.2.7.C.01 14.2.7.C.02 14.2.7.C.03 14.2.7.C.04 14.2.7.C.05 14.2.7.C.06 14.2.7.C.07 |
| APAC Singapore MAS TRM 2021 | 11.3.6 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 4.19 4.20 |
| Americas Canada ITSP-10-171 | 03.04.08.A 03.04.08.B 03.13.13.A 03.13.13.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to explicitly allow (allowlist / whitelist) and/or block (denylist / blacklist) applications that are authorized to execute on systems.
Level 1 — Performed Informally
Configuration Management (CFG) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Standardized across the organization. o Consistently aligned with industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
- IT personnel use an informal process to design, build and maintain secure configurations for test, development, staging and production environments.
- Secure configurations are not:
- Terms of employment and rules of behavior address the requirement for users to comply with applicable software usage requirements and copyright laws.
Level 2 — Planned & Tracked
Configuration Management (CFG) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Configuration management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for configuration management.
- Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
- Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
- Apart from workstation and server operating system baselines, configuration management is decentralized.
- Cybersecurity personnel use a structured process to design, build and maintain secure configurations for test, development, staging and production environments.
- Deviations to baseline configurations are required to have a risk assessment and the business process owner acceptance of the risk(s) associated with the deviation.
- Unauthorized configuration changes are investigated to determine if the unauthorized configuration is malicious in nature.
- Logical Access Control (LAC) is enforced to prohibit non-administrative users from being able to install unauthorized software.
Level 3 — Well Defined
Configuration Management (CFG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- The configuration management function is formally assigned with defined roles and responsibilities.
- An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
- Configuration management is centralized for all operating systems, applications, servers and other configurable technologies.
- Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including test, development, staging and production environments.
- Configurations conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments.
- Deviations to baseline configurations are required to have a risk assessment and business process owner approval of the risk(s) associated with the deviation.
- Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
- An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
- Logical Access Control (LAC) is used to limit the ability of non-administrators from making configuration changes to systems, applications and services, including the of installation of unauthorized software.
- A Security Incident Event Manager (SIEM), or similar automated tool, monitors for unauthorized activities, accounts, connections, devices and software.
- Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.
- A Software Asset Management (SWAM) solution is used to provide oversight of unmanaged or unauthorized software executables that are on a network.
Level 4 — Quantitatively Controlled
Configuration Management (CFG) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
Configuration Management (CFG) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
- Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.
Assessment Objectives
- CFG-03.3_A01 a policy and/or process specifying whether whitelisting or blacklisting is to be implemented is specified.
- CFG-03.3_A02 the software allowed to execute under whitelisting or denied use under blacklisting is specified.
- CFG-03.3_A03 whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
- CFG-03.3_A04 registration requirements for functions, ports, protocols and services are defined.
- CFG-03.3_A05 an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system.
- CFG-03.3_A06 the list of unauthorized software programs is reviewed / updated organization-defined frequency.
- CFG-03.3_A07 organization-defined registration requirements are complied with.
- CFG-03.3_A08 software programs not authorized to execute on the system are defined.
- CFG-03.3_A09 frequency at which to review / update the list of unauthorized software programs is defined.
- CFG-03.3_A10 organization-defined software programs are identified.
- CFG-03.3_A11 software programs authorized to execute on the system are identified.
- CFG-03.3_A12 the frequency at which to review and update the list of authorized software programs is defined.
- CFG-03.3_A13 a deny-all, allow-by-exception policy for the execution of authorized software programs on the system is implemented.
- CFG-03.3_A14 the list of authorized software programs is reviewed / updated organization-defined frequency.
- CFG-03.3_A15 the automatic execution of mobile code in organization-defined software applications is prevented.
- CFG-03.3_A16 organization-defined actions are enforced prior to executing mobile code.
- CFG-03.3_A17 the use of mobile code is controlled.
Technology Recommendations
Micro/Small
- whitelisting / blacklisting applications
- Microsoft Windows Defender Application Control (WDAC)
Small
- whitelisting / blacklisting applications
- Microsoft Windows Defender Application Control (WDAC)
Medium
- whitelisting / blacklisting applications
- Microsoft Windows Defender Application Control (WDAC)
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Large
- whitelisting / blacklisting applications
- Microsoft Windows Defender Application Control (WDAC)
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Enterprise
- whitelisting / blacklisting applications
- Microsoft Windows Defender Application Control (WDAC)
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)