CMMC readiness · NIST 800-171 alignment · DFARS support Mon–Fri · 0800–1800 ET
Controls / Configuration Management / 3.4.8
3.4.8
CM.L2-3.4.8 · Level 2

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or…

NIST SP 800-171 Rev 2 · §3.4.8

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

Assessment objectives

From NIST SP 800-171A · 3 objectives must be met to satisfy this control
3.4.8[a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified.
Examine
[SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; security plan; configuration management plan; system design documentation; system configuration settings and associated documentation; list of software programs not authorized to execute on the system; list of software programs authorized to execute on the system; security configuration checklists; review and update records associated with list of authorized or unauthorized software programs; change control records; system audit logs and records; other relevant documents or records].
Interview
[SELECT FROM: Personnel with responsibilities for identifying software authorized or not authorized to execute on the system; personnel with information security responsibilities; system or network administrators].
Test
[SELECT FROM: Organizational process for identifying, reviewing, and updating programs authorized or not authorized to execute on the system; process for implementing blacklisting or whitelisting; mechanisms supporting or implementing blacklisting or whitelisting].
3.4.8[b] the software allowed to execute under whitelisting or denied use under blacklisting is specified.
Examine
[SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; security plan; configuration management plan; system design documentation; system configuration settings and associated documentation; list of software programs not authorized to execute on the system; list of software programs authorized to execute on the system; security configuration checklists; review and update records associated with list of authorized or unauthorized software programs; change control records; system audit logs and records; other relevant documents or records].
Interview
[SELECT FROM: Personnel with responsibilities for identifying software authorized or not authorized to execute on the system; personnel with information security responsibilities; system or network administrators].
Test
[SELECT FROM: Organizational process for identifying, reviewing, and updating programs authorized or not authorized to execute on the system; process for implementing blacklisting or whitelisting; mechanisms supporting or implementing blacklisting or whitelisting].
3.4.8[c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
Examine
[SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; security plan; configuration management plan; system design documentation; system configuration settings and associated documentation; list of software programs not authorized to execute on the system; list of software programs authorized to execute on the system; security configuration checklists; review and update records associated with list of authorized or unauthorized software programs; change control records; system audit logs and records; other relevant documents or records].
Interview
[SELECT FROM: Personnel with responsibilities for identifying software authorized or not authorized to execute on the system; personnel with information security responsibilities; system or network administrators].
Test
[SELECT FROM: Organizational process for identifying, reviewing, and updating programs authorized or not authorized to execute on the system; process for implementing blacklisting or whitelisting; mechanisms supporting or implementing blacklisting or whitelisting].

What we look for in practice

The following are placeholder notes that should be refined based on practice experience.

What assessors look for in practice. Documented evidence that this control is implemented across all CUI-handling systems within scope. Specific artifacts vary, but expect requests for written procedures, system configurations, and operational records demonstrating the control is active.

Common failure patterns. Typical issues include incomplete documentation, inconsistent implementation across systems, and missing periodic review records. Refine this section as your practice accumulates direct assessment experience.

Strong evidence looks like. Formal policy referencing this control, technical configurations demonstrating enforcement, periodic review logs with sign-off, and procedures for handling exceptions.

Scoring and POA&M context. 5-point control under the DoD Assessment Methodology. Highest scoring impact — treat as a foundational requirement. Not POA&M-eligible — must be implemented at assessment time.