CM.L2-3.4.8 — Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

What this control requires

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

Source: CMMC L2 v2.13 CM.L2-3.4.8 / NIST SP 800-171 R2 3.4.8 (official control text).

Why this matters

Most ransomware, malware, and insider threats succeed because unauthorized executables run undetected on endpoints. This control requires organizations to explicitly block known-bad software (blacklisting) or explicitly allow only approved software (whitelisting). Whitelisting is stronger because it blocks everything except what you trust, preventing zero-day threats and shadow IT tools from executing. Without enforcement, attackers can drop binaries, scripts, or portable apps that bypass antivirus. This control protects data confidentiality and system integrity by ensuring only vetted, organization-approved software runs on CUI-handling systems.

What evidence assessors expect

Assessors typically look for: screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls