Mapped to NIST 800-171 Requirement: 3.4.9
CMMC Assessment Objective: CM.L2-3.4.9[b]
What This Objective Means
This is the enforcement step. You’ve identified how you prevent unauthorized software from running (CM.L2-3.4.9[a])—now you must prove that your systems are:
• Technically configured to block or restrict unauthorized executables
• Using solutions such as application allowlisting, software restriction policies, or endpoint control platforms
• Maintaining those configurations across relevant endpoints
Assessors will expect to see real system settings that actively enforce software execution controls.
Why It Matters
Without enforced controls:
• Untrusted software can run unchecked, introducing malware or exfiltrating CUI
• Insider threats can escalate privileges or install backdoors
• You risk losing control of your system environment—and failing audits
Execution restrictions provide a critical line of defense against unapproved or malicious activity.
How to Implement It
• Use tools and settings such as:
◦ Microsoft AppLocker or WDAC on Windows systems
◦ Application Control features in endpoint protection platforms (e.g., CrowdStrike, SentinelOne, Bitdefender)
◦ MDM or GPO enforcement policies for managed devices
◦ Linux AppArmor, SELinux, or custom ACLs
• Ensure:
◦ Policies are applied to all relevant users/systems
◦ Whitelists include only approved software or digital signatures
◦ Enforcement is enabled (not just audit mode)
• Regularly test to confirm that unauthorized software is blocked
Evidence the Assessor Will Look For
• Screenshots or exports from application control configurations
• System logs showing attempted execution of blocked software
• Endpoint or SIEM dashboards showing enforcement in place
• Documentation linking system settings to your software control policy
Common Gaps
• App control tools deployed but not in enforcement mode
• Only audit logging is enabled—no actual execution prevention
• Inconsistent or outdated allowlist definitions
How Cuick Trac Helps
Cuick Trac supports this control by:
• Restricting software execution to a defined set of approved applications
• Enforcing allowlist policies across the secure enclave
• Preventing changes to execution permissions without documented approval
• Helping customers configure and maintain endpoint-level enforcement on their managed systems
With Cuick Trac, software restrictions aren’t theoretical—they’re actively protecting your CUI systems.
Final CTA
Approved software runs. Everything else stops.
Schedule a Cuick Trac demo and ensure your system configuration backs up your software control policy.