CIS Control 2.6: Allowlist Authorized Libraries
Unauthorized software libraries are a common attack vector that bypasses traditional perimeter defenses. CIS Control 2.6 requires technical controls to prevent malicious or unnecessary .dll, .so, and .ocx files from loading into system processes. This control is essential for reducing your attack surface and maintaining system integrity.
What this means
CIS 2.6 mandates implementation of technical controls that enforce a whitelist of approved software libraries at the operating system or application level. Only libraries explicitly authorized by your organization are permitted to load into running processes; all others are blocked. This prevents malware, supply chain attacks, and unauthorized third-party code from executing. Organizations must review and update this allowlist at least twice per year, or more frequently if your threat landscape changes.
How to comply
- 1.Inventory all legitimate software libraries (.dll, .ocx, .so files) currently in use across your systems and applications
- 2.Document business justification for each authorized library and assign ownership for approval decisions
- 3.Implement technical allowlisting controls using OS-native features (Windows AppLocker, SELinux) or third-party endpoint security tools
- 4.Configure enforcement to block non-whitelisted libraries from loading into processes in production and development environments
- 5.Establish a semi-annual review schedule to audit the allowlist against current software deployments and remove obsolete entries
- 6.Create a change management process for adding new libraries, including security review and formal approval steps
- 7.Monitor and log all blocked library load attempts to detect potential security incidents or legitimate software updates
Evidence auditors look for
- Documented inventory of authorized software libraries with version numbers and approval dates
- AppLocker or DLP policy configuration files showing allowlist rules and enforcement settings
- Change management log showing bi-annual allowlist reviews with dates and approver signatures
- Blocked library event logs or security tool reports demonstrating enforcement in action
- Approval matrix or policy document defining the process for authorizing new libraries
- Risk assessment or security justification for each category of authorized libraries
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates library allowlist inventory, tracks bi-annual review deadlines, and centralizes approval workflows—eliminating manual spreadsheet tracking and ensuring your CIS 2.6 compliance evidence is audit-ready.
See how GRCWatch handles this control automatically
Start free trial