CM.L2-3.4.9 — Control and monitor user-installed software.
What this control requires
Control and monitor user-installed software.
Source: CMMC L2 v2.13 CM.L2-3.4.9 / NIST SP 800-171 R2 3.4.9 (official control text).
Why this matters
User-installed software is a common vector for malware, data exfiltration tools, and license violations. When employees can freely install applications without oversight, the organization loses visibility into what code runs on its systems and what data those applications access. This control prevents shadow IT from introducing vulnerabilities, ensures only vetted software runs in the environment, and maintains an auditable record of what's installed across workstations and servers. It protects both the organization's intellectual property and the sensitive data it holds on behalf of customers and partners.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on CM.L2-3.4.9.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →