STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

CM-7 (1)

Configuration ManagementRev 5organization

Periodic Review

Baselines:ModerateHigh

Control Statement

(a) Review the system [Assignment: frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and (b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure].

Supplemental Guidance

Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking.

Related Controls (1)

AC-18

CCI Identifiers (6)

CCI-000383The organization defines the frequency of information system reviews to identify and eliminate unnecessary functions, ports, protocols and/or services.CCI-000384Review the system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, software, and services.CCI-000385The organization reviews the information system per organization-defined frequency to eliminate unnecessary functions, ports, protocols, and/or services.CCI-001760Defines the frequency of system reviews to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services.CCI-001761Defines the functions, ports, protocols, software, and services within the information system that are to be disabled or removed when deemed unnecessary and/or nonsecure.CCI-001762Disable or remove organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure.

Linked STIG Checks (124)

Across 92 STIGs. Click to expand.