3.4.7 — Block What's Not Needed

The One-Liner

3.4.6 says “configure for least functionality.” This requirement says “actively block everything else.”

What It Says

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

What It Actually Means

Where 3.4.6 says “provide only essential capabilities,” this requirement says “actively prevent the rest.” Five categories, each assessed independently:

1. Programs. Define what software is essential, define what’s not, and prevent the nonessential from executing. This is application control — whitelisting or blacklisting (detailed in 3.4.8). Users shouldn’t be able to run unauthorized executables.

2. Functions. Disable unnecessary system features — Remote Desktop on workstations that don’t need it, macro execution in Office when not required, PowerShell in full language mode for standard users.

3. Ports. Close unnecessary network ports. Default-deny on firewalls — only ports serving a documented business function are open. A port scan of any CUI system should return only the ports on your allowed list.

4. Protocols. Disable insecure or unnecessary protocols. TLS 1.0 and 1.1 disabled. SMBv1 disabled. FTP replaced with SFTP. Telnet replaced with SSH. NTLMv1 disabled. If a legacy protocol is still required, document the exception with a compensating control and remediation timeline.

5. Services. Stop and disable services not needed for the system’s function. This goes beyond 3.4.6 — here the assessor expects technical prevention, not just configuration. A disabled service that can be re-enabled by a user isn’t sufficient if that user shouldn’t be able to start it.

This is the most granular requirement in the CM family — 15 determination statements. The assessor will verify each of the five categories: are essentials defined, are nonessentials defined, and are nonessentials actively restricted?

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are essential programs defined?	Documented approved software list per system type
2	Are nonessential programs defined?	Documented list of prohibited or restricted software
3	Are nonessential programs restricted or prevented?	Application control blocks unauthorized executables
4	Are essential functions defined?	Documented list of required system features per role
5	Are nonessential functions restricted?	Unnecessary features disabled and prevented from being re-enabled
6	Are essential ports defined?	Documented port list per system type — only required ports open
7	Are nonessential ports restricted?	Firewall rules block all ports not on the allowed list (default-deny)
8	Are nonessential ports prevented?	Port scans confirm only approved ports respond
9	Are essential protocols defined?	Documented allowed protocols per system type
10	Are nonessential protocols restricted?	Legacy protocols (TLS 1.0, SMBv1, FTP, Telnet) disabled
11	Are nonessential protocols prevented?	Protocol scans confirm disabled protocols don’t respond
12	Are essential services defined?	Documented list of required services per system role
13	Are nonessential services defined?	Documented list of services that must be disabled
14	Are nonessential services restricted?	Services stopped and set to disabled startup type
15	Are nonessential services prevented?	Group policy or Intune prevents re-enabling disabled services

---

What to Have Ready on Assessment Day

Documents they’ll review: Configuration management policy; procedures addressing least functionality; system security plan; configuration checklists; documented reviews of programs, functions, ports, protocols, and services; system configuration settings; specifications for preventing software execution; change control records

People they’ll talk to: Personnel responsible for reviewing programs, functions, ports, protocols, and services; information security personnel; system or network administrators

Live demos they’ll ask for: “Show me a port scan of this CUI server — what’s open and why.” “Try to run an unapproved application on this workstation.” “Show me that TLS 1.0 is disabled.” “Show me the firewall rule set — is it default-deny?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me the allowed ports on this CUI system. Is the firewall default-deny?”
• “Are only applications needed for the system’s function configured and enabled?”
• “What protocols are allowed? Show me that TLS 1.0 and SMBv1 are disabled.”
• “Are system services reviewed to determine what’s essential?”
• “Can a user install or execute unauthorized software? Demonstrate.”
• “Show me your allowed port and protocol list per system type.”

Real-World Example

A defense contractor maintains a hardening standard that addresses all five categories. For CUI workstations: approved software enforced via Windows Defender Application Control (WDAC) — only signed, approved executables run. Remote Desktop disabled and prevented from re-enabling via Intune. Windows Firewall configured default-deny with only HTTPS (443), DNS (53), and VPN (UDP 500/4500) outbound plus Kerberos to the domain controller. TLS 1.0, 1.1, SMBv1, LLMNR, and NetBIOS disabled via registry settings deployed through Intune. Non-essential services (Print Spooler, Xbox Live, Fax) stopped and startup type set to Disabled via Group Policy. A quarterly port scan of all CUI systems confirms only approved ports respond — deviations generate remediation tickets. The assessor runs nmap against a CUI workstation and sees only the expected ports; asks a user to run an unapproved .exe and WDAC blocks it; checks the TLS registry keys and confirms 1.0 and 1.1 are disabled.

---

Where Companies Trip Up

Open unused ports. Firewall allows traffic on ports no application needs. A port scan reveals RDP (3389) open on a workstation that doesn’t use Remote Desktop. Implement default-deny firewall rules and validate with periodic port scans.

Users can install anything. No application control mechanism. A user downloads and runs a utility and nothing stops them. Deploy application control — even a basic blacklist is better than nothing, though whitelisting is preferred.

Legacy protocols still enabled. SMBv1, TLS 1.0, FTP, Telnet — still running because “we might need them” or “we forgot to disable them.” Disable them proactively. If a legacy protocol is genuinely required, document the exception and the compensating control.

Default-allow firewall. The host firewall is on but configured to allow all outbound traffic. Default-deny means only documented, approved ports are open — both inbound and outbound.

---

How to Talk About This

To a CEO or Board

We actively block unnecessary programs, ports, and protocols on every CUI system. If it’s not needed, it’s not allowed — our firewalls are default-deny, our workstations only run approved software, and legacy protocols are disabled everywhere.

To an Engineering Team

Firewall: default-deny inbound and outbound. WDAC or AppLocker for application control. Registry settings via Intune: TLS 1.0/1.1 disabled, SMBv1 disabled, LLMNR disabled, NetBIOS disabled. Non-essential services disabled via GPO. USB storage blocked via Intune device restriction. Quarterly port scans validate. Deviations → remediation tickets.

---

Connected Requirements

Requirement	Why it matters here
3.4.6 — Shrink the Attack Surface	Defines essential capabilities — this requirement blocks everything else
3.4.8 — Whitelist or Blacklist Software	Application control mechanism for the “programs” category
3.13.6 — Deny Everything by Default	Default-deny network policy aligns with blocking nonessential ports and protocols
3.4.2 — Harden Everything	Security baselines include the port, protocol, and service restrictions

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: CM.L2-3.4.7 | SPRS Weight: 5 points | POA&M Eligible: No