CM.L2-3.4.7 — Restrict nonessential programs, ports, and services
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
Verbatim NIST SP 800-171 Rev 2 requirement text (3.4.7).
How it's scored
5 points deducted from your SPRS score if unmet.
An open gap here is not POA&M-eligible (only 1-point requirements qualify under 32 CFR 170.21, with one narrow exception at SC.L2-3.13.11): it must be fully implemented before a Level 2 assessment can certify.
What an assessor checks: the 15 assessment objectives
NIST SP 800-171A determination statements, verbatim. A CMMC Level 2 assessor marks CM.L2-3.4.7 MET only when every applicable objective is satisfied — and examines evidence, not assertions.
| Objective | Determination statement |
|---|---|
| 3.4.7[a] | essential programs are defined. |
| 3.4.7[b] | the use of nonessential programs is defined. |
| 3.4.7[c] | the use of nonessential programs is restricted, disabled, or prevented as defined. |
| 3.4.7[d] | essential functions are defined. |
| 3.4.7[e] | the use of nonessential functions is defined. |
| 3.4.7[f] | the use of nonessential functions is restricted, disabled, or prevented as defined. |
| 3.4.7[g] | essential ports are defined. |
| 3.4.7[h] | the use of nonessential ports is defined. |
| 3.4.7[i] | the use of nonessential ports is restricted, disabled, or prevented as defined. |
| 3.4.7[j] | essential protocols are defined. |
| 3.4.7[k] | the use of nonessential protocols is defined. |
| 3.4.7[l] | the use of nonessential protocols is restricted, disabled, or prevented as defined. |
| 3.4.7[m] | essential services are defined. |
| 3.4.7[n] | the use of nonessential services is defined. |
| 3.4.7[o] | the use of nonessential services is restricted, disabled, or prevented as defined. |
Where do you stand on CM.L2-3.4.7?
The free Muster Score walks all 110 requirements — including every objective above — and computes your exact SPRS score in your browser. No signup, no upload, and your answers never leave your device.
Get your free Muster Score →Requirement and objective text: NIST SP 800-171 Rev 2 / SP 800-171A (verbatim). Scoring: DoD Assessment Methodology v1.2.1; POA&M eligibility: 32 CFR 170.21. Muster is independent and not affiliated with the U.S. Department of Defense or the Cyber AB; this page is compliance information, not legal advice or a certification.