National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

NIST Special Publication 800-53 (Rev. 4)

Security and Privacy Controls for Federal Information Systems and Organizations

CM-11 USER-INSTALLED SOFTWARE

Family:
CM - CONFIGURATION MANAGEMENT
Class:
Priority:
P1 - Implement P1 security controls first.
Baseline Allocation:
Low Moderate High
CM-11 CM-11 CM-11

Control Description

The organization:

a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;

b. Enforces software installation policies through [Assignment: organization-defined methods]; and

c. Monitors policy compliance at [Assignment: organization-defined frequency].

Supplemental Guidance

If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved "app stores." Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.

Related to: AC-3CM-2CM-3CM-5CM-6CM-7PL-4

Control Enhancements

CM-11(1) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS
The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected.

Related to: CA-7SI-4
CM-11(2) USER-INSTALLED SOFTWARE | PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS
The information system prohibits user installation of software without explicit privileged status.
Supplemental Guidance: Privileged status can be obtained, for example, by serving in the role of system administrator.
Related to: AC-6

References

None.