03.04.06 — (a) Configure the system to provide only mission-essential capabilities. (b) Prohibit or restrict use of the following functions, ports, protocols, connections, and services: {{ insert: param, A.03.04.06.ODP.01 }} . (c) Review the system {{ insert: param, A.03.04.06.ODP.06 }} to identify unnecessary or nonsecure functions, ports, protocols, connections, and services. (d) Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure.

What this control requires

(a) Configure the system to provide only mission-essential capabilities. (b) Prohibit or restrict use of the following functions, ports, protocols, connections, and services: {{ insert: param, A.03.04.06.ODP.01 }} . (c) Review the system {{ insert: param, A.03.04.06.ODP.06 }} to identify unnecessary or nonsecure functions, ports, protocols, connections, and services. (d) Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure.

Source: NIST SP 800-171 R3 §03.04.06 (official control text).

Why this matters

Systems ship with dozens of features, protocols, and services enabled by default — many of which your organization never uses but attackers routinely exploit. Unnecessary ports like FTP, outdated protocols like SMBv1, and unused services like Bluetooth or Remote Desktop multiply your attack surface. Every disabled feature is one less vector for compromise. This control requires you to identify what your business actually needs, lock down everything else, and regularly audit for configuration drift. It's the principle of minimalism applied to cybersecurity: if you don't need it, turn it off.

What evidence assessors expect

Assessors typically look for: screenshot, CSV export, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls