NIST PR.PT-3: Least Functionality Configuration
Least functionality reduces your organization's attack surface by disabling unnecessary services and features. This NIST Cybersecurity Framework control ensures systems run only essential capabilities, minimizing vulnerabilities and security risks. For SMBs, implementing this control is both a technical best practice and a compliance requirement.
What this means
Least functionality configuration means systematically disabling or removing non-essential services, features, and capabilities from systems and applications. This principle applies across infrastructure, endpoints, and software to ensure each asset operates at its minimum necessary capability level. By eliminating unused features, you reduce potential entry points for attackers and limit the blast radius of any compromise.
How to comply
- 1.Inventory all systems, applications, and services across your infrastructure
- 2.Document which capabilities and services are actually required for business operations
- 3.Disable or uninstall all non-essential services, ports, protocols, and features
- 4.Remove default accounts, sample data, and unnecessary user roles
- 5.Apply hardening baselines and security benchmarks to reduce default configurations
- 6.Implement allow-list firewall rules permitting only required network traffic
- 7.Review and update configurations quarterly as business needs evolve
- 8.Enforce least functionality policies in system build standards and deployment templates
Evidence auditors look for
- System hardening checklists aligned to CIS Benchmarks or DISA STIGs
- Service and port inventories showing disabled/removed non-essential items
- Firewall rules and access control lists configured for explicit allow-listing
- Configuration management baselines documenting approved minimal settings
- Application whitelisting policies limiting installed software
- Regular configuration audits and compliance scan reports
- Change logs showing removal of default accounts and sample data
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and catalogs all running services and open ports across your infrastructure, then flags non-essential configurations against NIST CSF baselines—eliminating manual audits and helping your team identify what to disable fast.
See how GRCWatch handles this control automatically
Start free trial