CM.L2-3.4.9: Control and monitor user-installed software

📖 What This Means

This practice requires organizations to actively manage and track software that employees install on company devices. It means you need systems to prevent unauthorized software installations and monitor what's already installed. For example, if an employee tries to install a personal file-sharing app on their work laptop, your systems should either block it or flag it for review. Another example: you should have a way to detect if someone installs outdated software that could create security vulnerabilities. The goal is to maintain control over your IT environment and reduce risks from unapproved or malicious software.

🎯 Why It Matters

Uncontrolled software installations create major security risks. Employees might accidentally install malware, vulnerable applications, or unauthorized tools that bypass security controls. In 2022, 34% of malware infections came from user-installed software (Verizon DBIR). A DoD contractor was breached when an employee installed a compromised PDF converter, leading to $1.4M in remediation costs. The DoD cares about this because uncontrolled software can: 1) Introduce vulnerabilities, 2) Bypass security monitoring, 3) Create compliance gaps. CMMC requires this control to maintain system integrity and prevent supply chain attacks.

✅ How to Implement

1. Configure Azure Intune or AWS Systems Manager to enforce application whitelisting
2. Set up conditional access policies requiring MFA for software installation attempts
3. Deploy Microsoft Defender for Endpoint or AWS GuardDuty to monitor installation events
4. Create automated alerts for any software installations outside change windows
5. Integrate with cloud access security brokers (CASBs) like Netskope to monitor SaaS app usage
6. Use AWS Config or Azure Policy to detect non-compliant software configurations
7. Implement Just-In-Time (JIT) access controls for installation privileges

⏱️

Estimated Effort

Implementation: 20-40 hours (Intermediate skill level). Ongoing: 2-4 hours/month for monitoring and reviews.

📋 Evidence Examples

Approved Software Policy

Format: PDF/DOCX

Frequency: Review quarterly, update as needed

Contents: List of authorized applications, approval process, installation rules

Collection: Export from document management system

Software Installation Logs

Format: CSV/EVTX

Frequency: Weekly

Contents: Timestamp, user, software name, installation path

Collection: Export from SIEM or endpoint management tool

Exception Requests

Format: Ticket (Jira/ServiceNow)

Frequency: Review monthly

Contents: Business justification, risk assessment, approval

Collection: Export ticketing system reports

User Training Records

Format: SCORM/LMS export

Frequency: Annually

Contents: Completion records for software installation policy training

Collection: Export from learning management system

Remediation Reports

Format: PDF

Frequency: Per incident

Contents: Details of unauthorized software removals

Collection: Generate from endpoint management console

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For CM.L2-3.4.9 ("Control and monitor user-installed software"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your configuration management process, including baseline configurations, change control procedures, vulnerability management, and how configuration compliance is monitored and enforced. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"CM.L2-3.4.9 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to control and monitor user-installed software. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"CM.L2-3.4.9 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to control and monitor user-installed software. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"CM.L2-3.4.9 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all system types within the CUI boundary requiring baselines
• Document configuration management tools and CMDB
• Map change control workflow from request to implementation
• Ensure this control covers all systems within your defined CUI boundary where control and monitor user-installed software applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Configuration Management Policy
📄 Baseline configuration documents
📄 Change management records
📄 CMDB/asset inventory
📄 Evidence artifacts specific to CM.L2-3.4.9
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will compare actual system configurations against documented baselines, review change tickets for proper approval workflow, and verify vulnerability remediation within SLA.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented policy prohibiting unauthorized software installations?

✅ YES → Proceed to Q2

❌ NO → GAP: Create an Approved Software Policy template within 2 weeks

Remediation:

Use NIST SP 800-171 Appendix D as a starting point

Question 2: Can your systems detect and log software installation attempts?

✅ YES → Proceed to Q3

❌ NO → GAP: Implement endpoint monitoring within 30 days (consider Osquery or Wazuh)

Remediation:

Start with Windows Event Log collection (Event ID 11707)

Question 3: Do you review installed software against approved lists at least quarterly?

✅ YES → Proceed to Q4

❌ NO → GAP: Schedule first review within 15 days

Remediation:

Use PowerShell Get-WmiObject -Class Win32_Product for initial inventory

Question 4: Are users prevented from installing software without approval?

✅ YES → Proceed to Q5

❌ NO → GAP: Configure application whitelisting within 45 days

Remediation:

Start with Microsoft AppLocker basic configurations

Question 5: Do you have a process to remove unauthorized software within 24 hours of detection?

✅ YES → COMPLIANT

❌ NO → GAP: Create remediation SOP within 1 week

Remediation:

Document steps using PDIO (Prepare-Detect-Isolate-Remove)

⚠️ Common Mistakes (What Auditors Flag)

1. Allowing local admin rights to standard users

Why this happens: IT teams want to reduce support tickets

How to avoid: Implement Just Enough Administration (JEA) models

2. Not monitoring SaaS application usage

Why this happens: Focus only on installed software

How to avoid: Extend monitoring to browser extensions and cloud apps

3. Approved software list is outdated

Why this happens: Infrequent reviews

How to avoid: Assign owner and set calendar reminders

4. No process for legitimate exceptions

Why this happens: Overly restrictive policies

How to avoid: Create risk-based exception workflow

5. Not correlating installations with vulnerability scans

Why this happens: Siloed tools

How to avoid: Integrate SIEM with vulnerability management

📚 Parent Policy

This practice is governed by the Configuration Management Policy

View CM Policy →

📚 Related Controls

CM.L2-3.4.1 (Maintain baseline configurations) CM.L2-3.4.2 (Configuration change control) SI.L2-3.14.4 (Malicious code protection) AC.L2-3.1.7 (Least privilege)