03.04.06 Least Functionality

This policy outlines the organization's commitment to the principle of Least Functionality, ensuring that all systems and devices within the organization are configured to operate with only the minimum set of functions, ports, protocols, connections, and services necessary to fulfill their designated mission-essential capabilities. This policy aims to minimize the attack surface and reduce the risk of unauthorized access, data breaches, and other cyber threats.

• A.03.04.06.ODP[01]: functions to be prohibited or restricted are defined.
• A.03.04.06.ODP[02]: ports to be prohibited or restricted are defined.
• A.03.04.06.ODP[03]: protocols to be prohibited or restricted are defined.
• A.03.04.06.ODP[04]: connections to be prohibited or restricted are defined.
• A.03.04.06.ODP[05]: services to be prohibited or restricted are defined.
• A.03.04.06.ODP[06]: the frequency at which to review the system to identify unnecessary or nonsecure functions, ports, protocols, connections, or services is defined.
• A.03.04.06.a: the system is configured to provide only mission-essential capabilities.
• A.03.04.06.b[01]: the use of the following functions is prohibited or restricted: <A.03.04.06.ODP[01]: functions>.
• A.03.04.06.b[02]: the use of the following ports is prohibited or restricted: <A.03.04.06.ODP[02]: ports>.
• A.03.04.06.b[03]: the use of the following protocols is prohibited or restricted: <A.03.04.06.ODP[03]: protocols>.
• A.03.04.06.b[04]: the use of the following connections is prohibited or restricted: <A.03.04.06.ODP[04]: connections>.
• A.03.04.06.b[05]: the use of the following services is prohibited or restricted: <A.03.04.06.ODP[05]: services>.
• A.03.04.06.c: the system is reviewed <A.03.04.06.ODP[06]: frequency> to identify unnecessary or nonsecure functions, ports, protocols, connections, and services.
• A.03.04.06.d: unnecessary or nonsecure functions, ports, protocols, connections, and services are disabled or removed.