NIST SP 800-171
Control 3.4.7
Restrict, Disable, or Prevent Nonessential Programs
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
What This Means in Plain English
Go beyond least functionality by actively blocking things that are not needed. Close unused network ports, disable unnecessary protocols, and prevent users from running programs that have no business purpose.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- FortiGate firewall rules blocking all ports and protocols not explicitly required
- Host-based firewalls on all endpoints configured via Group Policy to allow only approved traffic
- Sophos XDR application control preventing execution of unauthorized applications
- Cisco Meraki port security disabling unused switch ports
- Regular port scanning and service enumeration to identify and remediate unauthorized services
Assessment Guidance
Assessors will scan systems for open ports and running services, verify that firewall rules follow a default-deny approach, test that application control blocks unauthorized software, and check that unused network ports are disabled on switches.
Common Implementation Gaps
- Firewall rules using default-allow instead of default-deny
- Unused network switch ports left enabled
- No application control or whitelisting
- Legacy protocols (SMBv1, TLS 1.0) still enabled
- No regular port scanning to detect unauthorized services
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | CM-7(1), CM-7(2) |
| PCI DSS | Req 1.1.6 - Justification for all services, protocols, and ports allowed |
Need Help Implementing 3.4.7?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment