Name: Episode 7 Least Functionality (CM-7): KamilSec
Uploaded: 2024-07-06 14:15:01
Duration: 19 min 36 s

Question 1

What is NIST 800-53 CM-7 (Least Functionality) in simple terms?

Accepted Answer

CM-7 is the principle of configuring a system to operate with only the mission-essential capabilities it actually needs. In practice, I’m disabling or removing nonessential functions, ports, protocols, services, and unnecessary software. The goal is to reduce the attack surface so there’s less for an attacker to exploit.

Question 2

How does CM-7 reduce the attack surface?

Accepted Answer

Every extra service or feature is another potential vulnerability. When I remove or disable what isn’t required, I’m eliminating exposure points attackers commonly target. That’s why CM-7 is fundamentally about minimizing what’s running and reachable.

Question 3

What’s the difference between least functionality and firewall rules/security groups?

Accepted Answer

Least functionality is about the system configuration itself—turning off what you don’t need. Firewalls and security groups enforce the same concept at the network layer by blocking access to unnecessary ports and protocols. I like using both, because even if a service gets enabled by mistake, the firewall/security group can still block the associated port.

Question 4

Can you give an example of implementing CM-7 with FTP and Telnet?

Accepted Answer

If FTP and Telnet aren’t mission-essential, I disable those services on the servers as part of CM-7. Then I make sure the firewall blocks FTP ports 20/21 and Telnet port 23. That way, I’m covered on the host side and the network side.

Question 5

Is CM-7 required for low, moderate, and high baselines?

Accepted Answer

Yes—CM-7 is selected for all three security control baselines: low, moderate, and high. So regardless of the system impact level, least functionality is expected. It’s not selected for the privacy control baseline.

Question 6

How do you test or assess CM-7 during an audit?

Accepted Answer

I start by obtaining and examining the organization’s configuration management policy/procedures and looking for clear definitions of essential capabilities and what’s prohibited or restricted. Then I inspect firewall/ACL rules, run discovery scans for open ports/active services, and compare results against what the SSP says is allowed. If the SSP list is current, anything showing up in scans that isn’t documented is a likely finding.

Question 7

Where should allowed ports and protocols be documented for CM-7?

Accepted Answer

A strong place to validate against is the SSP, because it typically lists the allowed ports, protocols, and services for the system. I use that as my reference point during scanning and rule review. If the SSP isn’t up to date, I push for it to be updated before we finalize findings.

Question 8

What logs or monitoring evidence support CM-7 compliance?

Accepted Answer

I look for audit logs and monitoring reports that show attempts to use nonessential or prohibited functionality. For example, if FTP isn’t allowed and someone attempts it, I expect to see that blocked attempt logged. Then I want to see that the organization investigates and addresses those attempts.

Episode 7 Least Functionality (CM-7): KamilSec

🛍️ Products Mentioned (5)

Official NIST publications, standards, and guidance

Official KamilSec branded designs and apparel

Me a Coffee

PayPal

*Patreon & Channel Support*******

About This Video

Frequently Asked Questions

🎬 More from KamilSec