Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [FedRAMP Assignment: (M) at least annually or when there is a change; (H) at least quarterly or when there is a change].
NIST 800-53 (r4) Supplemental Guidance:
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7.
NIST 800-53 (r5) Discussion:
Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in CA-3(5) and SC-7.
38North Guidance:
Meets Minimum Requirement:
Identify all software programs authorized to execute on the systems.
Implement in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e., white listing).
Review and update the list of software programs authorized to execute on the systems, at least annually/quarterly or when there is a change.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
List of authorized software programs (whitelist) and evidence of most recent software whitelist review
Configuration showing how software installation policies are enforced
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse