3.4.6 — Shrink the Attack Surface

What It Says

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

What It Actually Means

Every CUI system should do only what it needs to do — nothing more. Disable or remove features, services, and components that aren’t required for the system’s function.

Two things the assessor checks:

Essential capabilities are defined. For each system type, you’ve documented what that system needs to do and what software and services it requires. A CUI file server needs file sharing and backup — it doesn’t need a web server, print spooler, or remote desktop. A CUI workstation needs the approved application set — it doesn’t need development tools, media players, or games.
Systems are configured to provide only those capabilities. Unnecessary features are actually disabled or removed — not just unused. The assessor will look at a system and check for: unnecessary services running, unused software installed, features enabled that serve no business purpose.

This is the principle side — the philosophy of minimal functionality. Requirement 3.4.7 is the enforcement side — actively blocking nonessential programs, ports, protocols, and services. Think of 3.4.6 as “define what’s needed and configure accordingly” and 3.4.7 as “actively prevent everything else.”

Systems come from vendors with everything turned on. Windows installs a dozen services you’ll never use. Cloud services enable features by default. Your job is to strip them down to the minimum needed.

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are essential system capabilities defined for each system type?	Documented list per system role: what the system does, what software and services it requires
2	Is the system configured to provide only those essential capabilities?	Unnecessary services disabled, unused software removed, non-essential features turned off

What to Have Ready on Assessment Day

Documents they’ll review: Configuration management policy; procedures addressing least functionality; system security plan; system design documentation; system configuration settings; security configuration checklists showing disabled services and removed software

People they’ll talk to: Personnel with security configuration management responsibilities; information security personnel; system or network administrators

Live demos they’ll ask for: “Show me the running services on this CUI server — explain which are essential and why.” “Is there software installed that isn’t needed for this system’s function?” “Show me your documentation of essential capabilities per system type.”

The Assessor’s Playbook

These are the actual questions. Have answers ready.

“What is this system’s role? What capabilities does it need?”
“Show me the running services — which ones are essential and which aren’t?”
“Is there any software on this system that isn’t needed for its function?”
“How do you determine what’s essential vs. nonessential?”
“Are roles and functions for each system identified along with the software and services required?”
“Show me a system configured to exclude functions not needed in the operational environment.”

A defense contractor documents essential capabilities per system type. CUI workstations: Windows 11 Enterprise, Microsoft 365 apps, approved engineering software, Defender for Endpoint, VPN client. CUI file server: Windows Server file sharing, backup agent, monitoring agent. For the CUI workstations, Intune configuration profiles disable: Print Spooler (not needed — printing goes through a dedicated non-CUI print server), Windows Media Player, Xbox Game Bar, Remote Desktop (users connect via VPN + managed jump host instead), IIS, and PowerShell in full language mode. Unnecessary Windows features are removed during image build. For the file server, a hardening script disables 22 non-essential services at deployment. The assessor runs Get-Service | Where-Object Status -eq 'Running' on the file server and the admin explains each running service’s purpose — all map to the documented essential capabilities list.

Where Companies Trip Up

Default installations. Systems deployed with every feature enabled and every service running because “it came that way.” The assessor finds IIS running on a file server or Remote Desktop enabled on workstations that don’t need it. Strip systems down during deployment.

No documentation of essential capabilities. Services are disabled but nobody documented what should or shouldn’t run. The assessor asks “how did you determine what to disable?” and there’s no answer. Define essential capabilities per system role before hardening.

Workstation bloat. CUI workstations have development tools, media software, games, and utilities that nobody uses for CUI work. If it’s not on the essential capabilities list, remove it.

Cloud services at default. Azure or AWS services provisioned with all features enabled. The same principle applies to cloud — disable features you don’t use. An Azure Storage account with public blob access enabled when you only need private access is a finding.

How to Talk About This

Connected Requirements

Requirement	Why it matters here
3.4.7 — Block What’s Not Needed	Actively prevents nonessential programs, ports, protocols, and services
3.4.1 — Know Your Inventory	Software inventory supports identifying what’s installed vs. what’s needed
3.4.2 — Harden Everything	Least functionality is a key part of the hardening baseline
3.13.1 — Guard the Boundaries	Reduced functionality means fewer services exposed at network boundaries

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

CMMC Practice ID: CM.L2-3.4.6 | SPRS Weight: 5 points | POA&M Eligible: No