3.4.9 — No Unauthorized Software

The One-Liner

If a user can download and install software without IT knowing, you have a shadow IT problem — and a compliance problem.

What It Says

Control and monitor user-installed software.

What It Actually Means

Three things, all required:

1. A policy exists. You have a documented policy that defines what software users are allowed to install (if any), how they request new software, and what’s prohibited. Most CUI environments should prohibit user-initiated installation entirely — software comes through IT-managed deployment.

2. Installation is controlled. Technical controls prevent unauthorized installations. The most effective approach: remove local administrator rights. Without admin rights, users can’t install most software. Supplement with a managed software deployment tool (Intune Company Portal, SCCM Software Center) where users can request and install approved applications from a curated catalog.

3. Installation is monitored. Even with controls, monitor for unauthorized software appearing on systems. Software inventory scans detect new applications — if something appears that wasn’t deployed through the approved channel, it triggers investigation. This catches edge cases: portable apps that don’t require installation, browser extensions, scripts.

This requirement complements 3.4.8 (application control). Where 3.4.8 controls what can execute, this requirement controls what gets installed. Together they form a complete software control strategy: users can’t install unauthorized software, and even if something is installed, application control prevents it from running.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is a policy for controlling software installation established?	Documented policy: users cannot install software without approval; approved channel defined
2	Is installation controlled based on the policy?	Local admin removed; software deployed via managed tool; unauthorized install attempts blocked
3	Is software installation monitored?	Inventory scans detect unauthorized software; alerts generated for unapproved applications

---

What to Have Ready on Assessment Day

Documents they’ll review: Configuration management policy; procedures addressing user-installed software; system security plan; list of approved software and the approval process; system configuration showing admin rights removed; monitoring records; software inventory scan results; continuous monitoring strategy

People they’ll talk to: Personnel governing user-installed software; system operators and users; personnel monitoring compliance; information security personnel; system or network administrators

Live demos they’ll ask for: “Log in as a standard user and try to install software — what happens?” “Show me your software deployment tool.” “Show me a software inventory scan — how would you detect unauthorized software?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Can a standard user install software? Show me.”
• “How does a user request new software? Walk me through the process.”
• “What happens if a user tries to install something they’re not approved for?”
• “How do you monitor for unauthorized software? Show me the scan results.”
• “Show me a recent example of unauthorized software being detected — what happened?”
• “Is there a mechanism to monitor the types of software a user is permitted to download?”

Real-World Example

A defense contractor removes local admin rights from all CUI workstations via Intune. Users cannot install software — any install attempt prompts for admin credentials they don’t have. When a user needs software, they submit a request through the IT ticketing system. The IT Security Lead evaluates the request — is the software approved? Is there a business justification? Does it introduce risk? If approved, the software is packaged and deployed through Intune Company Portal, where the user can self-install from the curated catalog. Monthly, the IT team runs a Defender for Endpoint software inventory report comparing installed software against the approved list. One month, a portable file compression utility appears on two workstations — not installed through Intune. Investigation reveals users downloaded it from a website. The utility is removed, the users are reminded of the policy, and the IT team adds a WDAC rule to block the specific executable. The detection, investigation, and resolution are documented.

---

Where Companies Trip Up

Local admin rights. Users are local administrators on their workstations — they can install anything. This is the single biggest gap. Remove local admin for all standard users. Use a privileged access solution if specific users occasionally need elevated rights.

No monitoring. Admin rights are removed but nobody monitors for unauthorized software. Portable applications, browser extensions, and scripts don’t require admin to install. Run regular software inventory scans and compare against the approved list.

No approved software list. Users know they need approval but there’s no defined list of what’s approved. Maintain a curated software catalog and make it accessible through a self-service portal.

Process too slow. Users need software for legitimate work but the approval process takes weeks. Frustrated users find workarounds. Make the approval and deployment process efficient — a reasonable target is 48 hours for standard requests. Pre-approve common tools so they’re available immediately in the software catalog.

---

How to Talk About This

To a CEO or Board

Users cannot install software on CUI systems without IT approval. Admin rights are removed, approved software is deployed through a managed catalog, and we monitor for any unauthorized installations. Shadow IT is detected and addressed.

To an Engineering Team

Local admin removed via Intune. Software deployment: Intune Company Portal with curated app catalog. Request process: ticket → IT Security Lead review → package and deploy. Monitoring: Defender software inventory monthly, compare against approved list. Unauthorized detection → removal + user notification + WDAC block. Portable app detection via endpoint telemetry.

---

Connected Requirements

Requirement	Why it matters here
3.4.8 — Whitelist or Blacklist Software	Application control complements installation control — what can execute vs. what can be installed
3.4.7 — Block What’s Not Needed	Blocking nonessential programs includes preventing their installation
3.4.1 — Know Your Inventory	Software inventory used to detect unauthorized installations
3.14.2 — Deploy Anti-Malware	Endpoint protection provides additional detection of unauthorized and malicious software

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: CM.L2-3.4.9 | SPRS Weight: 1 point | POA&M Eligible: Yes