CM.L2-3.4.9 · NIST SP 800-171 3.4.9

User-installed Software

Control and monitor user-installed software.

1 point if not metPOA&M eligible3 assessment objectives

What an assessor scores, the objectives

CM.L2-3.4.9 is met only when every one of these 3 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.a policy for controlling the installation of software by users is established
  • b.installation of software by users is controlled based on the established policy
  • c.installation of software by users is monitored

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For CM.L2-3.4.9, an assessor uses these:

Examine

Configuration management policy; procedures addressing user installed software; configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; list of rules governing user- installed software; system monitoring records; system audit logs and records; continuous monitoring strategy; other relevant documents or records

Interview

Personnel with responsibilities for governing user -installed software; personnel operating, using, or maintaining the system; personnel monitoring compliance with user -installed software policy; personnel with information security responsibilities; system or network administrators

Test

Organizational processes governing user -installed software on the system; mechanisms enforcing rules or methods for governing the installation of software by users; mechanisms monitoring policy compliance

What it means, in context

Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user -installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.

Software that users have the ability to install is limited to items that the organization approves. When not controlled, users could install software that can create unnecessary risk. This risk applies both to the individual machine and to the larger operating environment. Policies and technical controls reduce risk to the organization by preventing users from installing unauthorized software. Example You are a system administrator. A user calls you for help installing a software package. They are receiving a message asking for a password because they do not have permission to install the software. You explain that the policy prohibits users from installing software without approval [a]. When you set up workstations for users, you do not provide administrative privileges. After the call, you redistribute the policy to all users ensuring everyone in the company is aware of the restrictions. Potential Assessment Considerations • Are user controls in place to prohibit the installation of unauthorized software [a]? • Is all software in use on the information systems approved [b]? • Is there a mechanism in place to monitor the types of software a user is permitted to download (e.g., is there a whitelist of approved software) [c]?

What passing evidence looks like

The user installed software rule (what is allowed, who approves), the enforcement (standard users cannot install), and a monitoring artifact (the installed software report you actually review).

Common ways contractors fail CM.L2-3.4.9

  • !Control, monitor, both verbs. No admin rights covers control; you still need the periodic look at what is installed, an Intune discovered apps export with a review date satisfies monitoring.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove CM.L2-3.4.9, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

CM.L2-3.4.9 questions, answered

How many points is CMMC requirement CM.L2-3.4.9 worth?+

CM.L2-3.4.9 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can CM.L2-3.4.9 be placed on a POA&M?+

Yes. A gap on CM.L2-3.4.9 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.

What family does CM.L2-3.4.9 belong to?+

CM.L2-3.4.9 is in the Configuration Management (CM) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.4.9