CM 11 USER INSTALLED SOFTWARE - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

CM-11 USER-INSTALLED SOFTWARE

Control:

  • a. Establish [ Assignment: organization-defined policies ] governing the installation of software by users;
  • b. Enforce software installation policies through the following methods: [ Assignment: organization-defined methods ]; and
  • c. Monitor policy compliance [ Assignment: organization-defined frequency ].

Discussion: If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

Related Controls: AC-3, AU-6, CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, PL-4, SI-4, SI-7.

Control Enhancements:

  • (1) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS
    [Withdrawn: Incorporated into CM-8(3).]

  • (2) USER-INSTALLED SOFTWARE | SOFTWARE INSTALLATION WITH PRIVILEGED STATUS
    Allow user installation of software only with explicit privileged status.

    Discussion: Privileged status can be obtained, for example, by serving in the role of system administrator.

    Related Controls: AC-5, AC-6.

  • (3) USER-INSTALLED SOFTWARE | AUTOMATED ENFORCEMENT AND MONITORING
    Enforce and monitor compliance with software installation policies using [ Assignment: organization-defined automated mechanisms ].

    Discussion: Organizations enforce and monitor compliance with software installation policies using automated mechanisms to more quickly detect and respond to unauthorized software installation which can be an indicator of an internal or external hostile attack.

    Related Controls: None.

References: None.

⚠️ **GitHub.com Fallback** ⚠️