How to Meet NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - CM.L2-3.4.7

Requirement

NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - CM.L2-3.4.7 – Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Understanding the Requirement

This control from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 requires organizations to reduce attack surface by identifying what is essential for business operations (programs, functions, ports, protocols, services) and ensuring anything not explicitly required is disabled, uninstalled, or blocked. In practice you must define essential items, document acceptable use, and apply technical controls so nonessential components are prevented from running or communicating.

Technical Implementation

• Inventory and classify: Build an inventory of installed software, enabled functions, open ports, active protocols, and running services across workstations, servers, network devices, and printers. Tag each item as “essential” or “nonessential” with a business justification and owner.
• Enforce a software whitelist and approval process: Use a centrally managed whitelist (or application control) as the authoritative list of approved software. Require a formal approval workflow for exceptions; if an item lacks an approved business need, uninstall it or block execution via endpoint controls.
• Harden systems—disable or remove: For each system class, create a hardening checklist that explicitly disables unused functions and services and uninstalls nonessential programs. Use automation tools (SCCM, Intune, Ansible, scripts) to remove software and apply hardened baselines at scale.
• Lock down ports and protocols: Define required ports and protocols per role (e.g., web server needs 80/443; domain controllers need LDAP, Kerberos). Use host-based firewalls and network ACLs to block all other inbound/outbound ports and protocols. Document exceptions and periodically verify with port scans.
• Network and device configuration management: Apply least‑privilege service configurations on routers, switches, and printers—disable telnet, unnecessary management interfaces, and unused services. Manage configurations via version-controlled templates and change control to ensure changes are reviewed.
• Monitoring and periodic review: Continuously monitor for deviations using endpoint detection, vulnerability scans, and regular audits. Schedule quarterly reviews to re-evaluate essential lists and remove any drift; log attempts to run disallowed programs or use blocked ports and investigate promptly.

Example in a Small or Medium Business

Acme Manufacturing is a 120-person SMB with an internal IT team of two administrators. They begin by running an automated inventory and discover consumer applications like iTunes on many employee laptops and several legacy services left enabled on a file server. The IT team builds a short whitelist of business‑approved applications and implements Microsoft Intune to enforce application control and remove unapproved programs. They create a policy that only allows ports and protocols required for each device role, then use the firewall and network ACLs on their edge router to block all other inbound ports. For servers, they apply a hardened baseline that disables unused services and schedules automated configuration checks. Employees are informed via a short memo explaining the business need and an approved exception process for any application they believe is necessary. After implementation they run monthly scans to ensure new machines comply and log any blocked traffic so the administrators can adjust legitimate use cases through the formal exception workflow. Over time, the organization reduces helpdesk incidents caused by unsupported software and lowers its exposure to common remote-execution and service-based attacks.

Summary

Identify and document what your business truly needs, then use a combination of policy, automation, and technical controls to remove or block everything else. A managed whitelist, hardened system baselines, firewall and ACL rules, and ongoing monitoring close common avenues attackers exploit—thus meeting the control’s intent to restrict, disable, or prevent nonessential programs, functions, ports, protocols, and services. Regular reviews and a simple exception process keep controls practical and sustainable for SMB operations.