Configuration Management 3.4.6 (3.4.6)

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to configure their systems to run only the services, features, and capabilities that are actually needed for business operations. Systems often come with many default features enabled that aren't necessary and create unnecessary security risks. Organizations must identify what functionality is essential, disable everything else, and regularly review systems to ensure unused features remain disabled. This includes turning off unnecessary network ports, protocols, services, and software features that could be exploited by attackers.

Control Intent

Reduce the attack surface of organizational systems by eliminating unnecessary functionality that could be exploited to compromise CUI or system security.

Who This Control Applies To

  • All systems that process, store, or transmit CUI
  • Workstations and end-user devices
  • Servers (file, application, database, web)
  • Network devices (routers, switches, firewalls)
  • Virtual machines and cloud instances
  • Operating systems (Windows, Linux, macOS)
  • Applications and software packages
  • Network services and protocols
  • Physical and logical network ports

Not Applicable When

  • The system does not process, store, or transmit CUI
  • The organization has no systems in scope for CMMC
  • All system functionality is demonstrably essential and documented as required for mission operations

Key Objectives

  • 1Minimize system attack surface by disabling non-essential functions, services, ports, and protocols
  • 2Prevent unauthorized connections, data transfers, and exploitation through unused system capabilities
  • 3Ensure systems are configured to support only mission-essential operations and functions

Sample Self-Assessment Questions (Partial)

What services, features, or capabilities are currently enabled on your systems that you don't actively use?

Have you disabled unnecessary Windows services, Linux daemons, or macOS background processes on your systems?

Implementation Approaches (High-Level)

Operating System Hardening with Configuration Baselines

Establish and enforce configuration baselines that define approved services, features, and capabilities for each system type, with unnecessary functionality explicitly disabled

Network Port and Protocol Restriction

Implement firewall rules, access control lists, and system-level controls to restrict network communications to only approved ports and protocols required for business operations

Application and Feature Minimization

Install and configure applications with only required components and features, removing or disabling optional functionality that is not needed for business operations

Physical Port and Interface Control

Disable or restrict physical connection interfaces (USB, Bluetooth, infrared, serial) on systems where they are not required for business operations

Service and Protocol Scanning with Remediation

Implement regular automated scanning to identify unauthorized services, ports, or protocols, with documented remediation process for findings

Regular Functionality Review and Elimination Process

Establish documented process for periodic review of system functionality to identify and eliminate capabilities that are no longer needed or were never used

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If systems have unnecessary services enabled, create POA&M to develop configuration baselines and disable non-essential functionality within 30-90 days depending on environment complexity If no configuration baselines exist, create POA&M to document approved functionality for each system type within 60 days, then implement within additional 90 days If physical ports are not controlled, create POA&M to assess requirements and disable unnecessary interfaces within 30-60 days If no regular scanning or monitoring exists, create POA&M to implement scanning tools and establish baseline within 90 days If functionality reviews are not performed, create POA&M to establish review process and conduct initial review within 60 days For vendor systems with extensive default functionality that cannot be easily disabled, document compensating controls in POA&M (enhanced monitoring, network segmentation, access restrictions) If remediation of identified unnecessary functionality is backlogged, create POA&M with prioritized remediation schedule based on risk Ensure POA&M includes specific milestones: baseline development, tool implementation, initial remediation, and ongoing review process establishment For large environments, consider phased POA&M approach addressing critical systems first, then expanding to all in-scope systems POA&M should include success criteria such as scan results showing only approved ports/services and compliance reports showing baseline adherence

Related CMMC Controls

3.4.13.4.23.4.73.4.83.13.13.13.5

Frequently Asked Questions

What does 'least functionality' mean in practical terms?

Least functionality means configuring systems to run only the services, applications, features, and network protocols that are actually needed for business operations. For example, a file server should not have web server software installed, workstations should not have unnecessary network services running, and applications should be installed with only required components rather than every optional feature. The goal is to reduce the attack surface by eliminating functionality that could be exploited but serves no business purpose.

How do I determine what functionality is 'essential' versus 'non-essential'?

Essential functionality is anything required to support documented business operations, mission functions, or security requirements. Work with system owners and users to document what each system actually needs to do, then compare that against what is currently enabled. Functionality is non-essential if the system has operated successfully without it, if no users require it, if it was enabled by default but never used, or if it can be enabled on-demand when needed rather than running continuously.

Does this control require removing all administrative tools and troubleshooting capabilities?

No, administrative tools and troubleshooting capabilities that are necessary for system management and security operations are considered essential functionality. However, these tools should only be enabled on systems where they are needed (e.g., administrator workstations, not regular user systems), and remote administrative access should be restricted to authorized personnel. The key is distinguishing between tools that are regularly needed versus those that are rarely or never used.

What happens if disabling functionality breaks something we didn't know we needed?

This is why least functionality should be implemented through a controlled change management process with testing before production deployment. Start by documenting current functionality and usage, identify clear candidates for elimination, test changes in non-production environments, and have a rollback plan. If functionality is disabled and later found to be needed, it can be re-enabled through the change control process with documentation of the business justification.

How is this control verified during a CMMC assessment?

Assessors will review configuration baselines and standards, examine actual system configurations through exports or screenshots, analyze vulnerability scan results showing open ports and running services, and verify that monitoring or scanning tools detect unauthorized functionality. They will select sample systems and validate that only approved services and features are enabled. Assessors will also review the process for identifying and eliminating unnecessary functionality and examine evidence that this process is actually performed.

Do I need to disable functionality on vendor-provided systems or appliances that come pre-configured?

Yes, the control applies to all organizational systems including vendor-provided solutions. However, some vendor systems may have limited configuration options or disabling certain features may void support agreements. In these cases, document what functionality cannot be disabled and why, implement compensating controls such as network segmentation or enhanced monitoring, and ensure the vendor system is still configured as securely as possible within its constraints. This should be documented as a risk acceptance or addressed in a POA&M.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.