CM-10 Software Usage Restrictions (L) (M) (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The organization:

a. Uses software and associated documentation in accordance with contract agreements and copyright laws;

b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

NIST 800-53 (r4) Supplemental Guidance:

Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7.

References: None.

NIST 800-53 (r5) Discussion:

Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements.

38North Guidance:

Meets Minimum Requirement:

Use software and associated documentation in accordance with CSP and customer contract agreements and copyright laws.
Ensure that it tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution.
Ensure that it controls and documents the use of file-sharing, peer-to-peer, and data transfer programs or services to ensure that these capabilities are not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

Best Practice:

Unofficial FedRAMP Guidance:

Assessment Evidence:

Software contract agreements and copyright laws, list of software usage restrictions
Evidence that the CSP tracks the use of software and associated licensing
Processes implementing and controlling the use of peer-to-peer file sharing technology

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse