GRCWatch
Sign inStart free trial

NIST SP 800-171 Control 3.4.8: Application Execution Policy

Control 3.4.8 requires organizations to restrict software execution through either blacklist (deny-by-exception) or whitelist (deny-all, permit-by-exception) policies. For SMBs handling controlled unclassified information, enforcing application execution policies is critical to prevent malware, unauthorized tools, and supply chain attacks. Whitelisting is the stronger posture and recommended by NIST.

What this means

This control mandates a formal application execution policy that governs which software can run on systems. You must choose between two approaches: (1) Blacklisting—block known bad applications while allowing others by default, or (2) Whitelisting—allow only explicitly approved applications and block everything else. Whitelisting provides stronger security by default and is the preferred approach for sensitive environments.

How to comply

  1. 1.Develop and document an application execution policy that defines approved software for each system or user role
  2. 2.Choose a whitelisting strategy (deny-all, permit-by-exception) as the primary control, or supplement blacklisting with regular threat intelligence updates
  3. 3.Deploy application execution controls using endpoint protection, AppLocker (Windows), or SELinux (Linux) tools
  4. 4.Maintain an approved applications list with version numbers, deployment dates, and business justification
  5. 5.Establish a formal process for requesting, reviewing, and approving new software additions
  6. 6.Monitor and log all application execution attempts, both allowed and blocked
  7. 7.Conduct quarterly reviews of approved applications and remove obsolete or high-risk software
  8. 8.Test policy enforcement on non-production systems before enterprise rollout

Evidence auditors look for

  • Approved applications inventory with version control and deployment documentation
  • Application execution policy document signed by management
  • Endpoint protection or AppLocker configuration files with whitelist rules
  • Change requests and approval logs for new software additions
  • Execution logs showing blocked and allowed application attempts
  • Quarterly application review and removal records
  • Security assessment reports confirming policy enforcement across systems

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates application execution policy tracking by maintaining your approved software inventory, logging all execution events, and flagging policy violations in real-time—eliminating manual spreadsheets and reducing audit prep time.

See how GRCWatch handles this control automatically

Start free trial

Related controls

NIST 800-171 3.4.1 (Boundary Protection)NIST 800-171 3.4.2 (Access Points)NIST 800-171 3.7.1 (Malware Protection)NIST 800-171 3.7.3 (Security Alerts and Advisories)