Information resource owners shall ensure Agency-owned information resources under their control are configured to provide only the essential capabilities required for the resource, and that all exposed ports, protocols and services are flow-controlled for both inbound and outbound traffic to minimize exposure to the least number of sources/destinations necessary for the service to function.
Configuration standards do not exist for systems being implemented.
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
The organization applies the concept of least privilege when providing access to application systems.
The state organization configures information system to provide only essential capabilities.
Obtain configuration management policy; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation and ascertain if:
(I)the organization defines in the security plan, explicitly or by reference, prohibited or restricted functions, ports, protocols, and services for the information system.
(ii)the organization configures the information system to provide only essential capabilities.
(iii)the organization configures the information system to specifically prohibit and/or restrict the use of organization-defined functions, ports, protocols, and/or services.
(iv)the organization defines in the security plan, explicitly or by reference, the frequency of the information system reviews to identify and eliminate unnecessary functions, ports, protocols, and services; and
(v)the organization reviews the information system to identify and eliminate unnecessary functions, ports, protocols, and/or services in accordance with organization-defined frequency.
