Controlling and monitoring user-installed software (NIST SP 800-171 / CMMC 2.0 CM.L2-3.4.9) prevents unauthorized code from introducing vulnerabilities, exfiltrating Controlled Unclassified Information (CUI), or enabling lateral movement—this guide gives small businesses a practical, auditable way to implement the control end-to-end.
Overview and Key Objectives
At a high level, CM.L2-3.4.9 requires organizations to limit which software users can install and to monitor installations so that unauthorized applications are detected and remediated. Key objectives for Compliance Framework adherence are: maintain an inventory of authorized software, apply least-privilege administrative models, enforce application allowlists/deny lists, monitor for deviations, and retain evidence in the System Security Plan (SSP) and assessment artifacts.
Step-by-step implementation
Begin with policy and scope: document a written "User-Installed Software" policy in your SSP that defines allowed installation methods, roles permitted to approve exceptions, and the exception approval workflow. Next, build a baseline inventory of currently installed software across endpoints (use tools like Microsoft Defender for Endpoint, SCCM/ConfigMgr, Intune, JAMF, or open-source agents such as OCS Inventory). Then remove local admin rights where feasible—use tools like Local Administrator Password Solution (LAPS) or managed local admin policies to prevent unsupervised installs.
Implement technical controls in phases. Phase 1: Prevent installs by restricting installer execution and Windows Installer via Group Policy and Intune: disable "Allow users to install" and block Windows Installer for non-admins. Phase 2: Apply application allowlisting—Windows AppLocker or Windows Defender Application Control (WDAC) for Windows endpoints; JAMF and MDM configuration profiles for macOS; SELinux/AppArmor and signed package verification for Linux. Configure rules by publisher (certificate), file hash, or file path depending on your environment and maintenance needs. Phase 3: Harden scripting engines—enable PowerShell script block logging, constrain PowerShell language mode, and use AMSI to detect malicious scripts.
Tools, configurations and specific technical steps
Practical small-business toolset examples: use Intune to deploy a Win32 app with an Intune Win32 content prep tool for approved apps, and push an AppLocker policy via Intune's Endpoint Security > Application Control. For AppLocker diagnostics, export an effective policy: Get-AppLockerPolicy -Effective -XML > C:\temp\applocker.xml and review with New-AppLockerPolicy -XmlPolicy. For WDAC, generate a CI policy and sign the policy using an internal code-signing certificate. On macOS, leverage JAMF to create a restricted software payload and use MDM to prevent users from installing unsigned packages; on Linux, enforce package installs via apt/yum with sudoers restrictions and use auditd to log package manager events (e.g., /var/log/dpkg.log or /var/log/yum.log).
Monitoring, logging, and evidence collection
Monitoring is critical for attestation. Send AppLocker/WDAC events, PowerShell logging, and endpoint telemetry to a SIEM (Splunk/Elastic/Cloud-native) or a centralized log collector. Key logs to capture: AppLocker/WDAC application control logs, Windows Event logs for MSI installs, Intune/JAMF audit trails for application installs/failed installs, package manager logs on Linux/macOS, and EDR alerts (block/allow events). Create automated alerts for installation attempts by non-authorized users or unsigned binaries. Maintain retention and export snapshots as assessment evidence: current allowlist policy files, logs showing blocked attempts, change-control tickets authorizing exceptions, and monthly review records.
Small-business scenarios and real-world examples
Example 1: A 25-person defense subcontractor uses Windows 10 endpoints managed via Intune. They remove local admin from users, deploy AppLocker via Intune with a default-deny executable rule based on publisher signatures for approved apps (Microsoft Office, Adobe Reader). They configure an approval workflow in Jira to add new software to the allowlist and capture the ticket ID in the justification field of the AppLocker exception. Example 2: A small engineering firm with mixed macOS and Linux workstations uses JAMF for Macs and SSH-managed configuration for Linux servers; they block unsigned PKG installers for macOS and use a central apt repository with repo signing for Linux to ensure only vetted packages are installed.
Implementation notes and compliance artifacts
Document the SSP control narrative describing how your allowlist/monitoring maps to CM.L2-3.4.9. Maintain POA&Ms for known gaps (e.g., legacy systems that can't run AppLocker). Evidence artifacts for assessors should include: the allowlist/whitelist files, MDM/EPM configuration screenshots, SIEM query results showing blocked attempts, change-control tickets for exceptions, and a regular review schedule (monthly or quarterly) with logs proving review completion.
Risks of not implementing CM.L2-3.4.9
Failing to control and monitor user-installed software leaves organizations exposed to ransomware and supply-chain malware, increases the chance of CUI exfiltration via Trojans or malicious toolkits, enables privilege escalation through vulnerable third-party apps, and risks noncompliance penalties or loss of DoD contracts. For a small business, a single infected endpoint can compromise an entire network—especially if users retain local admin rights and can install persistent backdoors.
Tips, best practices, and final checklist
Best practices: enforce least privilege first (remove local admin), apply default-deny application control, maintain a formal exception process, instrument robust logging to a SIEM, test policies in "audit" mode before enforcement, and use code-signing for in-house tools. Keep an emergency bypass process for business-critical installs and ensure temporary elevating accounts are time-limited and logged. Regularly review and prune your allowlist to avoid configuration drift. For evidence, automate export of allowlist policy and installation logs monthly and store in a secure, immutable location for assessments.
Implementing CM.L2-3.4.9 is an engineering and process effort: combine policy, least-privilege user accounts, application control (AppLocker/WDAC/JAMF/MDM), EDR/SIEM monitoring, and documented exception and review workflows to meet Compliance Framework requirements and reduce risk. With these steps, a small business can produce clear artifacts for assessors and materially reduce the attack surface from user-installed software.
