CM.L2-3.4.6: Least Functionality — CMMC Level 2 Control
The least functionality control requires organizations to configure information systems with only the essential capabilities needed for business operations. This reduces attack surface and limits the potential impact of compromised systems. For CMMC Level 2 compliance, you must document and enforce strict configuration standards across all systems.
What this means
Least functionality means disabling unnecessary services, ports, protocols, and features on organizational systems. You configure devices—servers, workstations, network appliances—to run only the software and services required for their intended purpose. This principle directly reduces vulnerabilities by eliminating unnecessary attack vectors that threat actors could exploit.
How to comply
- 1.Inventory all systems and identify their business-critical functions
- 2.Document the minimum required services, ports, and protocols for each system type
- 3.Disable or uninstall all unnecessary software, services, and features by default
- 4.Implement configuration baselines for different system roles (servers, workstations, etc.)
- 5.Use hardening guides or benchmarks aligned with your environment
- 6.Regularly audit running services to identify and remove unnecessary capabilities
- 7.Enforce configuration standards through centralized management tools
- 8.Test configurations to ensure business functions remain unaffected
- 9.Maintain audit logs documenting configuration changes and justifications
Evidence auditors look for
- Configuration management policy defining least functionality requirements
- System hardening standards and baselines for each asset type
- Documentation of required vs. disabled services per system
- Inventory of installed software with justification for each
- Change logs showing service disablement and configuration modifications
- Screenshots or reports from configuration management tools showing active services
- Compliance scan results demonstrating removed unnecessary features
- System hardening checklists completed and signed off
- Evidence of recurring audits identifying and removing unnecessary capabilities
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically inventories your system configurations and flags unnecessary services and ports, then tracks remediation to least functionality standards, eliminating manual audit work for CM.L2-3.4.6 compliance.
See how GRCWatch handles this control automatically
Start free trial