CM.L2-3.4.7 — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

What this control requires

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Source: CMMC L2 v2.13 CM.L2-3.4.7 / NIST SP 800-171 R2 3.4.7 (official control text).

Why this matters

Every running program, open port, and active protocol expands the attack surface available to adversaries. Nonessential services create pathways for lateral movement, data exfiltration, and malware execution. This control enforces a principle of minimum functionality: if a capability is not required for business operations, it should be disabled or blocked. By restricting Bluetooth, FTP, peer-to-peer protocols, unnecessary executables, and unused network services, the organization reduces exploit opportunities and limits what an attacker can leverage after initial compromise. This directly protects CUI by eliminating unnecessary pathways through which sensitive data could be accessed or transmitted without authorization.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls