03.04.08 — (a) Identify software programs authorized to execute on the system. (b) Implement a deny-all, allow-by-exception policy for the execution of authorized software programs on the system. (c) Review and update the list of authorized software programs {{ insert: param, A.03.04.08.ODP.01 }}.

What this control requires

(a) Identify software programs authorized to execute on the system. (b) Implement a deny-all, allow-by-exception policy for the execution of authorized software programs on the system. (c) Review and update the list of authorized software programs {{ insert: param, A.03.04.08.ODP.01 }}.

Source: NIST SP 800-171 R3 §03.04.08 (official control text).

Why this matters

Application whitelisting prevents malicious software, ransomware, and unauthorized tools from executing on organizational systems. By default-denying all software and explicitly permitting only vetted programs, this control blocks drive-by downloads, insider installation of unapproved tools, and execution of malware payloads. Without this safeguard, attackers can run credential harvesters, lateral movement tools, or data exfiltration utilities freely. This control is particularly critical for servers, privileged workstations, and systems processing CUI, where unauthorized code execution poses direct risk to confidential information and system integrity.

What evidence assessors expect

Assessors typically look for: PDF, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls