CM-7.5: Authorized Software — Allow-by-exception

software programs are identified;

a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;

the list of authorized software programs is reviewed and updated frequency .

Configuration management policy

procedures addressing least functionality in the system

configuration management plan

system design documentation

system configuration settings and associated documentation

list of software programs authorized to execute on the system

system component inventory

common secure configuration checklists

review and update records associated with list of authorized software programs

change control records

system audit records

system security plan

other relevant documents or records

Organizational personnel with responsibilities for identifying software authorized to execute on the system

organizational personnel with information security responsibilities

system/network administrators

Organizational process for identifying, reviewing, and updating programs authorized to execute on the system

organizational process for implementing authorized software policy

mechanisms supporting and/or implementing authorized software policy