comp-cm-3.4.6

Employ Least Functionality (CM.L2-3.4.6)

cmmc · framework · Production-ready

Drawn fromNIST SP 800-171 Rev. 3 · CMMC Level 2 Assessment Guide·Reviewed Apr 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runbatch-produce-substrate

1

Face 1 of 6 · WHAT

What is Employ Least Functionality (CM.L2-3.4.6)

CM.L2-3.4.6, grounded in NIST SP 800-171 Rev 2 Security Requirement 3.4.6, requires organizations to configure systems to provide only the capabilities essential to their mission function, explicitly prohibiting or restricting all nonessential functions, ports, protocols, and services. Organizations must first define what 'essential' means for each system or system component, then enforce that definition through technical configuration. This is not a one-time activity — the defined essential capabilities must be maintained as a baseline and re-evaluated whenever system purpose or operating environment changes. The underlying principle is that every enabled capability, open port, running service, or available protocol that is not required for legitimate business operations represents unnecessary risk that an adversary can exploit. NIST SP 800-171 Rev 2 Section 3.4.6 explicitly links this requirement to the concept of limiting system exposure by removing or disabling functions not needed for organizational operations.

Where it stops · what it isn't

—This practice does not govern user account privilege levels or access rights — that is addressed by AC domain practices (e.g., 3.1.1, 3.1.2) under least privilege.
—This practice does not require removal of software from development or test environments where additional capabilities may be legitimately needed, provided those environments are appropriately isolated and scoped.
—This practice does not prescribe specific approved software lists or application whitelisting enforcement mechanisms — those are addressed by CM.L2-3.4.8 (authorized software) and CM.L2-3.4.9.
—This practice does not directly address user behavior restrictions such as use of removable media — that falls under MP and AC domain controls.
—This practice does not independently satisfy requirements for monitoring configuration drift — that is addressed in conjunction with CM.L2-3.4.1 (baseline configurations) and SI domain practices.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

domain/configuration-management

REQUIRES

comp-cm-3.4.1

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.