Skip to main content
NetStable
Level 2 CM.L2-3.4.8

Apply deny-by-exception policy to prevent the use of unauthorized software

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to implement a 'deny-by-exception' policy for software usage, meaning that only explicitly approved software is allowed to run on systems, while all other software is automatically blocked. This approach minimizes the risk of malicious or unauthorized software compromising systems. For example, a company might create a list of approved applications like Microsoft Office and antivirus software, and block everything else. Another example is allowing only specific engineering tools in a manufacturing environment while preventing employees from installing personal software like games or media players. This policy ensures that systems run only what is necessary and authorized, reducing vulnerabilities.

🎯 Why It Matters

Unauthorized software can introduce malware, create security vulnerabilities, or lead to compliance violations. For instance, the 2017 NotPetya ransomware attack spread through unauthorized software updates, causing billions in damages. A deny-by-exception policy prevents such incidents by ensuring only vetted software is used. From the DoD's perspective, this control is critical to protecting Controlled Unclassified Information (CUI) and maintaining system integrity. Without this policy, organizations risk data breaches, operational disruptions, and reputational damage. Implementing this control helps mitigate these risks and ensures compliance with CMMC requirements.

How to Implement

  1. 1. Use AWS Systems Manager or Azure Policy to define allowed software.
  2. 2. Configure Microsoft Defender for Cloud to enforce software restrictions.
  3. 3. Implement Application Control via GCP Security Command Center.
  4. 4. Regularly update the approved software list in your cloud management console.
  5. 5. Enable logging and monitoring to detect unauthorized software attempts.
  6. 6. Integrate with CI/CD pipelines to ensure only approved software is deployed.
  7. 7. Conduct periodic audits to verify compliance.
⏱️
Estimated Effort
Implementation typically takes 2-3 days for small organizations, requiring intermediate IT skills. Ongoing maintenance requires 2-4 hours monthly.

📋 Evidence Examples

Approved Software List

Format: Excel/PDF
Frequency: Update quarterly or when new software is approved
Contents: List of all approved software with version numbers
Collection: Export from management console or manually maintain

Group Policy Configuration Screenshot

Format: PNG/JPG
Frequency: Capture after each policy change
Contents: Screenshot showing deny-by-exception policy settings
Collection: Capture from Group Policy Management Console

Audit Logs

Format: CSV/Log
Frequency: Review monthly
Contents: Logs showing blocked unauthorized software attempts
Collection: Export from endpoint protection tools

Policy Document

Format: PDF
Frequency: Review annually
Contents: Written deny-by-exception policy
Collection: Draft and approve internally

Training Records

Format: Excel/PDF
Frequency: Update after each training session
Contents: List of employees trained on the policy
Collection: Maintain in HR system

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For CM.L2-3.4.8 ("Apply deny-by-exception policy to prevent the use of unauthorized software"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your configuration management process, including baseline configurations, change control procedures, vulnerability management, and how configuration compliance is monitored and enforced. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"CM.L2-3.4.8 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to apply deny-by-exception policy to prevent the use of unauthorized software. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"CM.L2-3.4.8 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to apply deny-by-exception policy to prevent the use of unauthorized software. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"CM.L2-3.4.8 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all system types within the CUI boundary requiring baselines
  • Document configuration management tools and CMDB
  • Map change control workflow from request to implementation
  • Ensure this control covers all systems within your defined CUI boundary where apply deny-by-exception policy to prevent the use of unauthorized software applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Configuration Management Policy
  • 📄 Baseline configuration documents
  • 📄 Change management records
  • 📄 CMDB/asset inventory
  • 📄 Evidence artifacts specific to CM.L2-3.4.8
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will compare actual system configurations against documented baselines, review change tickets for proper approval workflow, and verify vulnerability remediation within SLA.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented deny-by-exception policy for software?

✅ YES → Proceed to Q2
❌ NO → GAP: Draft and approve a policy within 2 weeks.
Remediation:
Use a template and involve IT and legal teams.

Question 2: Is the approved software list up to date?

✅ YES → Proceed to Q3
❌ NO → GAP: Update the list immediately and review quarterly.
Remediation:
Collaborate with department heads to identify needed software.

Question 3: Are software restrictions enforced on all endpoints?

✅ YES → Proceed to Q4
❌ NO → GAP: Configure GPOs or endpoint protection tools within 1 week.
Remediation:
Use AppLocker or equivalent tools.

Question 4: Are logs maintained for unauthorized software attempts?

✅ YES → Proceed to Q5
❌ NO → GAP: Enable logging in endpoint protection tools within 3 days.
Remediation:
Configure alerts for unauthorized attempts.

Question 5: Have employees been trained on the policy?

✅ YES → Compliance confirmed
❌ NO → GAP: Schedule training sessions within 1 month.
Remediation:
Use a combination of in-person and online training.

⚠️ Common Mistakes (What Auditors Flag)

1. Incomplete approved software list

Why this happens: Failure to involve all departments in identifying needed software.
How to avoid: Conduct regular reviews with department heads.

2. Missing enforcement on endpoints

Why this happens: Inconsistent application of GPOs or endpoint protection.
How to avoid: Use centralized management tools and verify settings.

3. Lack of logging

Why this happens: Logging not enabled in endpoint protection tools.
How to avoid: Enable logging and configure alerts.

4. Outdated policy document

Why this happens: Failure to review and update the policy annually.
How to avoid: Set calendar reminders for annual reviews.

5. Insufficient employee training

Why this happens: Training not prioritized or documented.
How to avoid: Integrate training into onboarding and annual refreshers.

📚 Parent Policy

This practice is governed by the Configuration Management Policy

View CM Policy →

📚 Related Controls

CM.L2-3.4.1 - Establish and maintain baseline configurations CM.L2-3.4.2 - Document and control changes CM.L2-3.4.4 - Maintain an inventory of system components
Previous
CM.L2-3.4.7
Back to CM
Next
CM.L2-3.4.9