CM-7 (1) - Periodic Review

Control requirements

The organization:

CM-7 (1) (a)

Reviews the information system [IBM Assignment: at least monthly] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and

CM-7 (1) (b)

Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].

NIST supplemental guidance

The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.