Mapped to NIST 800-171 Requirement: 3.4.9
CMMC Assessment Objective: CM.L2-3.4.9[a]
What This Objective Means
This control focuses on how you stop unapproved software from running. You must identify tools, configurations, or services that:
• Enforce application control
• Block unknown executables
• Detect and prevent installation of unapproved programs
• Restrict users from executing files outside of whitelisted paths or policies
These controls help ensure that only trusted, validated software runs in your environment.
Why It Matters
If users or attackers can run unauthorized software:
• They may bypass your access control and monitoring systems
• Malware or unvetted applications may exfiltrate CUI
• Insider threats or accidental misuse may lead to serious compliance risks
This control supports least privilege and software integrity enforcement.
How to Implement It
• Identify and document your software execution controls, such as:
◦ Application allowlisting (e.g., AppLocker, Windows Defender Application Control, JAMF, third-party EDR tools)
◦ Execution restrictions via GPO, MDM, or Linux AppArmor/SELinux
◦ Software restriction policies (e.g., file path, publisher, hash rules)
• Define how these tools are applied and enforced per user or system role
• Maintain documentation in your:
◦ Configuration Management Plan
◦ System Security Plan (SSP)
◦ Endpoint protection platform policy
Evidence the Assessor Will Look For
• Documentation listing the controls in place to prevent software execution
• Policy or configuration examples (screenshots or exports)
• List of approved vs. blocked applications or hash/publisher-based controls
• Role mapping for users allowed to execute or install new software (if applicable)
Common Gaps
• No application control solution deployed
• Users can execute software from downloads or USB drives without restriction
• Tools exist but are not configured to block execution (monitor only)
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Deploying hardened systems that restrict execution to pre-approved software only
• Integrating application control at the OS and platform level
• Helping document allowlisted tools and enforcement methods
• Preventing unauthorized software from running within the enclave environment
With Cuick Trac, unapproved software doesn’t just raise an alert—it gets blocked.
Final CTA
Security isn’t just about what runs—it’s about what doesn’t.
Schedule a Cuick Trac demo and lock down your execution policies with smart, enforceable controls.