GRCWatch
Sign inStart free trial

CM.L2-3.4.8: Application Execution Policy – CMMC Level 2

Application execution policies are your first line of defense against unauthorized software. CMMC Level 2 requires you to either blacklist known-bad software or whitelist only approved applications. This control prevents malware, unauthorized tools, and compliance violations from running on your network.

What this means

You must enforce a policy that controls which software can run on your systems. You have two approaches: deny-by-exception (blacklisting) blocks known malicious or prohibited applications while allowing everything else, or deny-all, permit-by-exception (whitelisting) blocks everything by default and only permits pre-approved software. Whitelisting is the more secure approach and is preferred under CMMC frameworks.

How to comply

  1. 1.Choose your policy model: whitelisting (preferred) or blacklisting based on your risk tolerance and system requirements
  2. 2.Create and maintain an approved software inventory listing all authorized applications and versions
  3. 3.Document business justification for each approved application
  4. 4.Configure endpoint protection tools or Group Policy (Windows) / configuration management (Linux) to enforce the policy
  5. 5.Block or allow software execution at the kernel or application level depending on your platform
  6. 6.Regularly audit and update the policy as new software is needed or deprecated
  7. 7.Log all policy violations and unauthorized execution attempts
  8. 8.Train users on the policy and the process for requesting new software

Evidence auditors look for

  • Documented application whitelist or blacklist with approval dates and business justification
  • Endpoint Detection and Response (EDR) or Mobile Device Management (MDM) policy configurations
  • Group Policy Objects (GPOs) enforcing AppLocker or similar application control rules
  • Configuration management system rules (e.g., Puppet, Ansible) controlling software execution
  • Logs showing blocked or unauthorized application execution attempts
  • Change management records for policy updates and software approvals
  • User request and approval workflow for new software installations
  • Screenshots of endpoint security console showing active policies and enforcement status

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates policy configuration, tracks approved software inventory, and flags unauthorized execution attempts in real-time—eliminating manual spreadsheets and reducing audit preparation time for CM.L2-3.4.8.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CM.L2-3.4.1 — Security Configuration ManagementCM.L2-3.4.2 — Security Patch ManagementSI.L2-3.14.1 — Malicious Code ProtectionSI.L2-3.14.5 — Information System Monitoring