IBM Cloud Docs
CM-7 - Least Functionality

CM-7 - Least Functionality

Control requirements

The organization:

CM-7 (a)
Configures the information system to provide only essential capabilities; and
CM-7 (b)
Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [IBM Assignment: limiting, disabling, and/or controlling services, features, applications, functions, ports, and protocols not explicitly required to support business functionality].

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

Rules for CM-7 in IBM Cloud for Financial Services v1.2.0 profile
Requirement ID Rules
CM-7 (a)
  • Check whether Security Groups for VPC contains no outbound rules in security groups that specify source IP 8.8.8.8/32 to DNS port
  • Check whether Virtual Servers for VPC instance doesn't have a floating IP
  • Check whether App ID Cloud Directory users aren't able to update their own accounts
  • Check whether App ID email dispatchers are using HTTPS only
  • Check whether Application Load Balancer for VPC has public access disabled
  • Check whether Cloud Object Storage is accessible only through HTTPS
  • Check whether OpenShift clusters are accessible only by using private endpoints
  • Check whether Virtual Private Cloud (VPC) security groups have inbound ports that are open only to permitted IP addresses
  • Check whether App ID lockout policy after failed # of sign-in attempts is enabled
  • Check whether App ID social identity providers are disabled
  • Check whether Virtual Private Cloud (VPC) has no public gateways attached
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to any port
  • Check whether Application Load Balancer for VPC is configured to convert HTTP client requests to HTTPS
  • Check whether all virtual server instances have at least one Virtual Private Cloud (VPC) security group attached
  • Check whether Virtual Private Cloud (VPC) has no public gateways attached at the time of provisioning
  • Check whether App ID redirect URIs are not using wildcards (*)
  • Check whether App ID webhooks are using HTTPS only
  • Check whether Virtual Servers for VPC instance has all interfaces with IP-spoofing disabled
  • Check whether Virtual Private Cloud (VPC) classic access is disabled
  • Check whether Virtual Private Cloud (VPC) has no rules in the default security group
  • Check whether App ID Cloud Directory users aren't able to self-sign up to applications
  • Check whether all network interfaces of a virtual server instance have at least one Virtual Private Cloud (VPC) security group attached
  • Check whether Virtual Servers for VPC instance has the minimum # interfaces
  • Check whether App ID redirect URIs are using HTTPS only
  • Check whether Cloud Internet Services (CIS) has TLS mode set to End-to-End CA signed
  • Check whether Virtual Private Cloud (VPC) security groups have outbound ports that are open only to permitted IP addresses
  • Check whether Application Load Balancer for VPC pool uses the HTTPS protocol for HTTPS listeners
  • Check whether Application Load Balancer for VPC uses HTTPS (SSL & TLS) instead of HTTP
  • Check whether Cloud Object Storage public access is disabled in IAM settings (not applicable to ACLs managed using S3 APIs)
  • Check whether App ID anonymous authentication is disabled
  • Check whether App ID avoid password reuse policy is enabled
  • Check whether App ID user profile updates from client apps is disabled
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to RDP port
  • Check whether App ID redirect URIs are not using localhost or 127.0.0.1
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to SSH port
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow egress from 0.0.0.0/0 to any port
CM-7 (b)
  • Check whether Security Groups for VPC contains no outbound rules in security groups that specify source IP 8.8.8.8/32 to DNS port
  • Check whether Virtual Servers for VPC instance doesn't have a floating IP
  • Check whether App ID Cloud Directory users aren't able to update their own accounts
  • Check whether App ID email dispatchers are using HTTPS only
  • Check whether Application Load Balancer for VPC has public access disabled
  • Check whether Cloud Object Storage is accessible only through HTTPS
  • Check whether OpenShift clusters are accessible only by using private endpoints
  • Check whether App ID lockout policy after failed # of sign-in attempts is enabled
  • Check whether Virtual Private Cloud (VPC) has no public gateways attached
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to any port
  • Check whether Application Load Balancer for VPC is configured to convert HTTP client requests to HTTPS
  • Check whether all virtual server instances have at least one Virtual Private Cloud (VPC) security group attached
  • Check whether Virtual Private Cloud (VPC) has no public gateways attached at the time of provisioning
  • Check whether App ID redirect URIs are not using wildcards (*)
  • Check whether DevSecOps Toolchain validates code against Center for Internet Security (CIS) Docker benchmarks to ensure container runtimes are configured securely
  • Check whether App ID webhooks are using HTTPS only
  • Check whether Virtual Servers for VPC instance has all interfaces with IP-spoofing disabled
  • Check whether Virtual Private Cloud (VPC) classic access is disabled
  • Check whether DevSecOps Toolchain passes dynamic code scan to identify vulnerabilities in deployed artifacts
  • Check whether Virtual Private Cloud (VPC) has no rules in the default security group
  • Check whether App ID Cloud Directory users aren't able to self-sign up to applications
  • Check whether all network interfaces of a virtual server instance have at least one Virtual Private Cloud (VPC) security group attached
  • Check whether DevSecOps Toolchain passes static code scan to identify vulnerabilities in source code
  • Check whether Virtual Servers for VPC instance has the minimum # interfaces
  • Check whether App ID redirect URIs are using HTTPS only
  • Check whether Cloud Internet Services (CIS) has TLS mode set to End-to-End CA signed
  • Check whether Application Load Balancer for VPC pool uses the HTTPS protocol for HTTPS listeners
  • Check whether Application Load Balancer for VPC uses HTTPS (SSL & TLS) instead of HTTP
  • Check whether Cloud Object Storage public access is disabled in IAM settings (not applicable to ACLs managed using S3 APIs)
  • Check whether App ID anonymous authentication is disabled
  • Check whether App ID avoid password reuse policy is enabled
  • Check whether App ID user profile updates from client apps is disabled
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to RDP port
  • Check whether App ID redirect URIs are not using localhost or 127.0.0.1
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to SSH port
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow egress from 0.0.0.0/0 to any port

NIST supplemental guidance

Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.