Controlling what software users can install and run is a foundational security control for protecting controlled unclassified information (CUI) and achieving NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 compliance (CM.L2-3.4.9); this practical guide walks through policy design, tooling choices, technical implementation details, small-business scenarios, and compliance best practices so you can move from inventory to enforced whitelisting while keeping operations running.
What CM.L2-3.4.9 expects
NIST / CMMC require organizations to manage user-installed software so unauthorized or risky applications cannot be introduced into environments processing CUI. The key objective is enforcement: prevent users from installing or executing unapproved applications while still allowing legitimate business software to run. Implementation must support auditability, exception handling, and integration with configuration management and incident response processes.
Practical implementation steps (high-level)
Inventory and policy baseline
Start by building an inventory of all software in use across endpoints and servers. Use endpoint inventory tools (MS Endpoint Manager/Intune, SCCM, Jamf, or open-source tools like OCS Inventory) and application whitelisting discovery/audit modes to create a baseline. With that baseline, define an allowlist policy that classifies software by business function (e.g., CAD, Office suite, VPN client) and ownership (company-approved vs user-requested). Document acceptable installation channels (MSI, Chocolatey, company-managed portal) and who can approve exceptions.
Select technology and deployment model
Choose tools that integrate with your environment and compliance needs. Common options: Windows AppLocker (via Group Policy / Intune), Microsoft Defender Application Control (WDAC) for hardened environments, Jamf or Munki for macOS, and AppArmor/SELinux + package manager controls for Linux. Small businesses often combine MDM/endpoint management (e.g., Intune, Jamf) with built-in OS app control to get both enforcement and remote management without huge licensing costs.
Design rules and enforcement strategy
Design rules by publisher, path, and hash. Best practice: prefer publisher / signing-certificate rules for vendor-signed binaries (allows legitimate updates), use path rules for approved internal application folders, and use hash rules only for unique or unsigned binaries. Start in "audit" mode (AppLocker auditing / WDAC audit-only) to capture false positives, refine rules, then move to "enforce." Create a staged rollout: pilot with a department, maintain a "break-glass" admin account for emergency installs, and formalize an exception process that records business justification, duration, and compensating controls.
Real-world small-business scenarios
Example 1 — Creative agency: Designers frequently install font packages and Adobe plugins. Set an allowlist that permits signed Adobe installers and approved font managers in a secured internal repository. Use Intune to push approved plugin packages and block direct installs from unknown web sources. Implement a fast-track exception for one-off plugins requiring approval via a ticketing system, with temporary allowlist entries that expire after 30 days.
Example 2 — Engineering contractor handling CUI CAD files: Enforce WDAC or AppLocker on workstations that process CUI, allowing only signed CAD apps, approved utilities, and corporate VPN clients. Developers or power users get separate lab machines where rules are relaxed and monitored. This separation reduces risk to production CUI environments while preserving developer agility.
Technical details and configuration guidance
On Windows, AppLocker rules can be created by publisher (recommended), path, or file hash. Use Group Policy or Intune configuration profiles to deploy AppLocker XML policies. Run in audit mode for 2–4 weeks and collect AppLocker logs (Event IDs in the Microsoft-Windows-AppLocker/EXE and DLL channel) to refine rules. For stronger enforcement, WDAC offers kernel-level control and supports code integrity policies and signed catalog files; maintain a CI policy that references vendor signing certificates rather than hashes so updates don't break. On macOS, use Jamf to enforce policy and block unsigned binaries; for Linux, enforce package manager policies, use AppArmor profiles, and limit sudo/installation privileges. Integrate logs with your SIEM so blocked execution events generate alerts tied to asset and user identity.
Risks of not implementing whitelisting and best practices
Without application control you increase the risk of malware, ransomware, and data exfiltration via unauthorized tools (file transfer utilities, remote access tools, or scripts). Lack of control also makes it hard to meet CMMC contractual obligations, which can lead to lost contracts or remediation orders. Best practices: keep an up-to-date CMDB of approved software, automate policy deployment through endpoint management, rotate and protect code signing keys, schedule periodic rule reviews (quarterly), and maintain a documented exception and change-control workflow tied to your configuration management process.
Compliance tips and operational guidance
Document everything: baselines, rule rationales, pilot results, exception approvals, and logs proving enforcement. Automate reporting for auditors (e.g., weekly lists of blocked attempts and approved exceptions). Train helpdesk staff to triage legitimate business needs and use a temporary allowlist mechanism with automatic expiry. For remote or BYOD scenarios, enforce most restrictive rules on corporate-managed devices and use network segmentation or Zero Trust controls for unmanaged devices handling CUI. Finally, test incident response playbooks that include steps for identifying and remediating a policy bypass or rogue installation.
Summary: Implementing whitelisting and application control to meet CM.L2-3.4.9 is achievable for small businesses by starting with a complete inventory, choosing appropriate OS-native controls and MDM tooling, designing publisher-first rule sets, running audit-mode pilots, and operationalizing exceptions and monitoring. Done properly, application control reduces attack surface, supports NIST / CMMC compliance, and preserves business operations through staged rollouts and documented processes.
