What Is This CMMC Control?
This control requires organizations to establish and enforce policies that govern what software users can install on systems that process, store, or transmit CUI. Organizations must define what software installations are permitted (like approved security patches and updates) and what is prohibited (like unauthorized applications or software from untrusted sources). The control emphasizes maintaining visibility and control over user-initiated software installations through a combination of technical controls and documented policies.
Control Intent
Prevent unauthorized, malicious, or vulnerable software from being installed by users, which could compromise system security, introduce vulnerabilities, or provide pathways for data exfiltration or system compromise.
Who This Control Applies To
- •All systems where users have the ability to install software
- •Workstations and endpoints where CUI is processed, stored, or transmitted
- •Systems where users have local administrative privileges
- •Virtual desktop infrastructure (VDI) environments
- •Mobile devices used to access CUI
- •Development and test environments within the CUI boundary
Not Applicable When
- •Systems where users have no ability to install software (fully locked down, no installation privileges)
- •Appliances or embedded systems with read-only operating systems
- •Systems managed entirely through centralized deployment with no user installation capability
- •Air-gapped systems with no software installation mechanism available to users
Key Objectives
- 1Establish and enforce policies that define permitted and prohibited software installations by users
- 2Implement technical and procedural controls to prevent unauthorized software installation
- 3Maintain visibility into software installed by users across systems in scope
- 4Ensure only vetted, approved software from trusted sources can be installed by users
Sample Self-Assessment Questions (Partial)
Do users have the ability to install software on their work computers or devices?
Is there a documented policy that defines what software users can and cannot install?
Implementation Approaches (High-Level)
Application Whitelisting with Centralized Management
Deploy application whitelisting technology that only allows execution of approved software, managed through a centralized console with defined approval workflows
Removal of Local Administrator Rights with Privilege Management
Remove local administrator rights from standard users and implement privilege management solution for temporary elevation when needed
Endpoint Management with Software Deployment Control
Use endpoint management platform to control software deployment and prevent user installations outside the managed deployment process
Software Inventory Monitoring with Automated Remediation
Deploy software inventory tools that continuously monitor installed software and automatically remove or alert on unauthorized installations
Policy-Based Control with User Training and Monitoring
Implement documented policy prohibiting unauthorized software installation, combined with user training and periodic compliance monitoring
Evidence & Assessment Notes
Expected Evidence
Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.
Plan of Action & Milestones (POA&M)
If users currently have local administrator rights, create a phased plan to remove them, starting with highest-risk users or systems If no technical controls exist, prioritize implementation of application whitelisting or endpoint management with installation restrictions If approved software list does not exist, document current approved software as a baseline and establish a maintenance process If software inventory tools are not deployed, implement them before attempting to enforce installation restrictions If controls exist but are not monitored, establish a review process and assign responsibility Consider interim compensating controls such as increased monitoring or user training while technical controls are implemented For BYOD or contractor devices, consider network-based controls or separate access methods rather than attempting to control software installations If business processes require frequent software installations, establish a streamlined approval process to prevent shadow IT
Frequently Asked Questions
Does this control require removing local administrator rights from all users?
The control does not explicitly require removing local admin rights, but it is one of the most effective technical methods to prevent unauthorized software installation. If users retain admin rights, the organization must implement other controls such as application whitelisting, monitoring, and policy enforcement to satisfy the control. Assessors will expect stronger compensating controls if users have admin rights.
Do browser extensions and add-ons count as user-installed software?
Yes, browser extensions and add-ons are considered software and should be addressed by this control. Organizations should define whether browser extensions are permitted, prohibited, or require approval. Many organizations overlook browser extensions, which can introduce security risks or provide data exfiltration pathways.
How do we handle software that users need immediately for business purposes?
Organizations should establish an expedited approval process for urgent software requests while still maintaining control. This might include a pre-approved list of common business software, a fast-track approval workflow for managers, or temporary installation with post-approval review. The key is balancing business needs with security controls.
Are we required to use application whitelisting to satisfy this control?
No, application whitelisting is not explicitly required, but it is one of the most effective technical controls. Organizations can satisfy this control through other methods such as removing admin rights, using endpoint management platforms, or implementing robust monitoring and remediation processes. However, assessors will expect the chosen method to effectively prevent unauthorized installations.
What happens if we detect unauthorized software during an assessment?
Detection of unauthorized software during an assessment typically results in a finding. The severity depends on the nature of the software, how widespread the issue is, and whether the organization has processes to detect and remediate such installations. Organizations should proactively scan for and remove unauthorized software before assessment. If found, document the remediation plan and timeline.
Do we need separate controls for mobile devices and BYOD?
Mobile devices and BYOD devices that access CUI must be addressed by this control. For organization-owned mobile devices, use Mobile Device Management (MDM) to control app installations. For BYOD, organizations typically either enroll devices in MDM, use containerization to separate work and personal apps, or restrict BYOD devices from directly accessing CUI. The chosen approach must still satisfy the control's requirement to control and monitor software.
How ConformatIQ Helps With CMMC Readiness
ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.
Ready to Get Full Guidance?
Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.
Request Full GuidanceInformation sourced from NIST SP 800-171 Rev. 2. See full disclaimer.