CM.L2-3.4.9: Control and Monitor User-Installed Software
User-installed software poses significant security risks in controlled environments. CMMC Level 2 control CM.L2-3.4.9 requires organizations to establish mechanisms that prevent unauthorized software installation and maintain visibility into what users deploy. This control is essential for protecting sensitive unclassified information (CUI) across your defense contractor environment.
What this means
This control requires you to implement technical and administrative measures that restrict, control, and monitor software installation on systems handling CUI. You must establish a baseline of approved applications, detect unauthorized installations, and maintain enforcement mechanisms that prevent users from circumventing software controls. The goal is to reduce attack surface by eliminating unknown or malicious code from entering your systems through unauthorized user installations.
How to comply
- 1.Deploy application whitelisting or approved software lists across all systems handling CUI
- 2.Configure endpoint controls to block unauthorized software installation attempts
- 3.Establish a formal process for requesting, approving, and deploying new software
- 4.Monitor systems for unauthorized or unapproved application installations in real-time
- 5.Maintain logs of all software installation attempts (successful and blocked)
- 6.Conduct regular audits to identify undocumented or rogue applications on systems
- 7.Document your approved software inventory with version numbers and deployment dates
- 8.Define consequences and remediation procedures for users who attempt unauthorized installations
Evidence auditors look for
- Application whitelisting policies and configuration documentation
- Endpoint protection/MDM tool reports showing blocked installation attempts
- Software request and approval workflow records
- System logs documenting installation events (successful blocks and allowed installs)
- Approved software inventory list with business justification for each application
- Audit reports from security scanning tools identifying unauthorized software
- User acknowledgment forms confirming awareness of software installation policies
- Change management records for approved software deployments
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch's continuous monitoring engine detects unauthorized software installations across your infrastructure and automatically flags non-compliance with CM.L2-3.4.9, eliminating manual audit cycles and providing real-time evidence for your CMMC assessment.
See how GRCWatch handles this control automatically
Start free trial