CM.L2-3.4.6 — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
What this control requires
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
Source: CMMC L2 v2.13 CM.L2-3.4.6 / NIST SP 800-171 R2 3.4.6 (official control text).
Why this matters
Attackers exploit unnecessary services, open ports, and unused features to gain footholds in networks. Every enabled capability—whether a background service, network protocol, or software module—expands the attack surface. Least functionality means stripping systems down to only what's required for business operations, eliminating the tools adversaries use for lateral movement, data exfiltration, and persistent access. This control protects CUI by removing the scaffolding attackers climb to reach sensitive data, forcing them through hardened, monitored pathways instead of forgotten side doors.
What evidence assessors expect
Assessors typically look for: screenshot, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on CM.L2-3.4.6.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →