Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - CM.L2-3.4.6 – Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
Understanding the Requirement
This control requires you to strip systems back to only the software, services, ports, and features necessary for their business mission. In practice you define what "essential capabilities" look like for each system type (server, workstation, network device) and then remove or disable everything else. The goal is reducing the attack surface by uninstalling non‑mission software, disabling unnecessary services and protocols, and closing unused ports so systems expose as little functionality as possible while still performing their intended role.
Technical Implementation
-
Create an asset and capability inventory: list all systems, their roles, and the specific capabilities required for each role (for example: file server—SMB, Active Directory—LDAP, web server—HTTP/HTTPS). This inventory is the baseline for deciding what is essential vs non‑essential.
-
Build hardened baselines and images: create standardized OS and application images that include only essential components for each role. Use these images for new deployments and reimage endpoints that drift from the standard to ensure consistency across the estate.
-
Scan and close unused ports and services: run port and service scans (for example, use Nmap) against servers and network devices to identify open ports and listening services. Disable or uninstall services that aren’t required and close unnecessary ports at the host firewall and network firewall.
-
Remove non‑essential applications and enforce application control: uninstall software that has no business justification (games, unapproved tools). Implement application allowlisting or restrictive execution policies (AppLocker, Microsoft Defender Application Control, or equivalent) so only approved apps run.
-
Use configuration management and GPOs: enforce service disablement, firewall rules, and software installation policies via configuration management tools (Group Policy, SCCM/Intune, Ansible) so changes cannot be made manually on individual machines without authorization.
-
Document exceptions and perform periodic review: maintain an exception process where any capability excluded from the baseline must be approved, logged, and revalidated periodically. Schedule quarterly or semi‑annual reviews to re‑assess essential capabilities as business needs change.
Example in a Small or Medium Business
Alice is the system administrator at a 75‑person engineering firm. She starts by building a spreadsheet inventory that lists each server, its business purpose, and the protocols it actually requires. For each Windows workstation she finds through an audit, she uninstalls non‑business software such as games and media players that users had installed. On the file servers she runs Nmap scans and identifies several services and open ports that are not used; she disables the unneeded services, tightens the host firewall, and updates the server images to remove those components. Alice creates two hardened baseline images—one for workstations and one for servers—and uses a configuration management tool to deploy them and enforce group policies that prevent users from installing software locally. For any tool that the business wants to keep but that increases risk, she documents a formal exception with approval from the security lead and sets a revalidation date. Over time she schedules quarterly reviews and automated scans so that any drift from the least‑functionality baselines is detected and remediated quickly.
Summary
Enforcing least functionality combines clear policies (defined essential capabilities, exception processes) with technical controls (inventory, hardened images, uninstalling software, closing ports, application control and configuration management). For SMBs this approach reduces attack surface without heavy ongoing overhead: define what each system needs, lock down everything else, automate enforcement, and review periodically so systems remain lean and aligned with business needs.
