Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [FedRAMP Assignment: (L)(M)(H) Continuously (via CM-7 (5))].
NIST 800-53 (r4) Supplemental Guidance:
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.
References: None.
NIST 800-53 (r5) Discussion:
If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved app stores. Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.
38North Guidance:
Meets Minimum Requirement:
Establish organization-defined policies governing the installation of software by users on workload clusters.
Enforce software installation policies through technical methods as defined by the CSP (See CM-7 (5)).
Continuously monitor whether unauthorized software or components have been installed within the information system (e.g., whitelisting) (See CM-8 (3)).
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Rules governing user installed software
Evidence demonstrating that measures are implemented to enforce and monitor software installation policies. Evidence to show the system alerts personnel when unauthorized software installation is detected.
Evidence of software installed over time to show polices not violated.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse