CM.L2-3.4.6 · NIST SP 800-171 3.4.6

Least Functionality

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

5 points if not metMust be fully met, cannot POA&M2 assessment objectives

What an assessor scores, the objectives

CM.L2-3.4.6 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.essential system capabilities are defined based on the principle of least functionality
  • b.the system is configured to provide only the defined essential capabilities

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For CM.L2-3.4.6, an assessor uses these:

Examine

Configuration management policy; configuration management plan; procedures addressing least functionality in the system; system security plan; system design documentation; system configuration settings and associated documentation; security configuration checklists; other relevant documents or records

Interview

Personnel with security configuration management responsibilities; personnel with information security responsibilities; system or network administrators

Test

Organiza tional processes prohibiting or restricting functions, ports, protocols, or services; mechanisms implementing restrictions or prohibition of functions, ports, protocols, or services

What it means, in context

Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single s ystem components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end - point protections such as firewalls and host- based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

You should customize organizational systems to remove non- essential applications and disable unnecessary services . Systems come with many unnecessary applications and settings enabled by default including unused ports and protocols. Leave only the fewest capabilities necessary for the systems to operate effectively. Example You have ordered a new server, which has arrived with a number of free utilities installed in addition to the operating system. Before you deploy the server, you research the utilities to determine which ones can be eliminated without impacting functionality. You remove the unneeded software, then move on to disable unused ports and services . The server that enters production therefore has only the essential capabilities enabled for the system to function in its role [a,b]. Potential Assessment Considerations • Are the roles and functions for each system identified along with the software and services required to perform those functions [a]? • Are the software and services required for those defined functions identified [a]? • Is the information system configured to exclude any function not needed in the operational environment [b]?

What passing evidence looks like

The essential capabilities note per system role (what this machine is FOR and what was turned off) plus a screenshot showing a disabled nonessential service or feature.

Common ways contractors fail CM.L2-3.4.6

  • !Least functionality wants evidence of subtraction. Name at least a few things you disabled (guest account, SMBv1, unused server roles, consumer app store) or it reads as default everything.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove CM.L2-3.4.6, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

CM.L2-3.4.6 questions, answered

How many points is CMMC requirement CM.L2-3.4.6 worth?+

CM.L2-3.4.6 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can CM.L2-3.4.6 be placed on a POA&M?+

No. CM.L2-3.4.6 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does CM.L2-3.4.6 belong to?+

CM.L2-3.4.6 is in the Configuration Management (CM) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.4.6