This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Reviews the information system [FedRAMP Assignment: (M)(H) at least monthly] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].
NIST 800-53 (r4) Supplemental Guidance:
The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2.
NIST 800-53 (r5) Discussion:
Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.
38North Guidance:
Meets Minimum Requirement:
All unnecessary and/or nonsecure functions, ports, protocols, and services must be restricted, reviewed at least monthly, and updated whenever a port or protocol is determined to be unnecessary and/or nonsecure.
Disable defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or non-secure.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Documented monthly reviews/updates of functions, ports, protocols, and/or services
Disabling of nonsecure functions, ports, protocols, and/or services (CM-6 compliance scans may also be leveraged)
Vulnerability scanning reports
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD