CM.L2-3.4.7: Restrict Nonessential Programs, Functions, and Services
Nonessential software, ports, and protocols expand your attack surface and create compliance gaps. CM.L2-3.4.7 requires you to identify, disable, or remove functionality your organization doesn't use—a foundational step in reducing security risk. This control is critical for CMMC Level 2 compliance and protects contractor networks handling CUI.
What this means
This control requires organizations to restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services on all systems. The goal is to minimize attack surface by removing or hardening unnecessary capabilities. This includes disabling unused network protocols (e.g., Telnet, FTP), removing pre-installed software not required for business operations, closing unused ports, and preventing execution of unneeded services. Systems should operate with the principle of least functionality—only what is necessary to support your mission stays enabled.
How to comply
- 1.Inventory all installed software, running services, enabled ports, and active protocols across your network.
- 2.Document which programs, functions, ports, and protocols are necessary for business operations.
- 3.Disable or uninstall all nonessential programs and services on endpoints, servers, and network devices.
- 4.Close or restrict access to unused ports and disable unsupported or legacy protocols.
- 5.Implement configuration baselines that enforce minimal functionality across system types.
- 6.Use Group Policy, device management tools, or firewall rules to prevent re-enablement of disabled functions.
- 7.Conduct periodic audits (at least annually) to identify and remove functionality that has become unnecessary.
- 8.Document all disabled functions and maintain change records for audit evidence.
Evidence auditors look for
- Software inventory reports showing installed applications and justification for each.
- Service disable logs from Windows Event Viewer, Linux auditd, or similar monitoring tools.
- Firewall rules documenting closed ports and restricted protocols.
- System configuration baselines and hardening scripts applied organization-wide.
- Policy documentation defining which programs and services are prohibited or restricted.
- Audit reports from vulnerability scanners confirming disabled services and closed ports.
- Change management records showing when functions were disabled and why.
- Device management console reports (Intune, Jamf, etc.) confirming policy enforcement.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates software and service inventories across your entire network, identifies nonessential functionality against compliance templates, and tracks disable status in real-time—eliminating manual audits for CM.L2-3.4.7.
See how GRCWatch handles this control automatically
Start free trial