Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - CM.L2-3.4.9 – Control and monitor user-installed software.
Understanding the Requirement
This control from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 requires that an organization establishes a policy restricting user installation of software, enforces that policy so installations occur only when approved and necessary, and monitors endpoints to detect and remediate unapproved software. The intent is to reduce malware risk, shrink the attack surface, and ensure software is kept current and authorized for business use.
Technical Implementation
-
Establish and enforce least-privilege accounts: Remove local administrative rights from standard users and make administrative access a separate, logged role. Use group policy, Microsoft Intune, Jamf, or similar MDM tools to centrally manage account privileges so end users cannot bypass controls by running as admin.
-
Create a software approval process and inventory: Require IT approval and documented business justification for any new software. Maintain a central inventory or CMDB of approved applications (name, version, vendor, business owner, and end-of-life date) and require procurement or deployment via IT-managed channels only.
-
Use application control and whitelisting: Deploy application allowlisting (e.g., AppLocker, Microsoft Defender Application Control, or vendor EDR application control) to prevent execution of unapproved binaries and scripts. Start with an audit mode to identify legitimate apps, then enforce deny rules for unknown executables.
-
Automate software distribution and updates: Use a centralized patch and deployment solution (SCCM/ConfigMgr, Intune, PDQ Deploy, or managed service) so approved software is installed and updated by IT. Block manual installers from running outside those channels through GPO or endpoint protection settings.
-
Monitor and alert on unauthorized installations: Enable endpoint detection and response (EDR), centralized logging, or a lightweight SIEM to detect new or unauthorized installations. Configure alerts for new software installs, changes to program files, or additions to startup entries and automate remediation workflows (quarantine, uninstall, ticket creation).
-
Regularly audit and remediate: Schedule quarterly or monthly scans to compare installed software against the approved inventory, remove unapproved applications, and review exceptions. Tie the audit results to a risk register and update approvals or remove unsupported software promptly.
Example in a Small or Medium Business
Acme Design, a 75-person design firm, adopts a simple policy that only IT can install software and all requests must include a business justification. The IT manager configures Active Directory and Intune so standard users have no local admin rights and pushes company-standard software images to new machines. When a designer requests a specialty plugin, they submit a ticket describing the business need and security review; IT validates the vendor and signs off before packaging and deploying the plugin via the deployment server. The company uses Defender EDR to monitor endpoints and sends alerts to the IT queue when unapproved installers or unknown executables run. During monthly audits, IT compares installed apps to the approved inventory, uninstalls unauthorized games or trialware, and documents recurring requests that may require broader approval. If an employee temporarily needs admin access for a valid task, IT grants time-limited elevation via a privileged access tool and logs the activity for review. Over time, this approach reduces malware incidents, keeps software current, and ensures every installed application has a recorded business justification and owner.
Summary
Implementing CM.L2-3.4.9 for an SMB combines a clear policy prohibiting unsupervised user installs, technical controls that remove local admin rights and enable application allowlisting, and monitoring that detects and removes unauthorized software. Together these measures reduce attack surface, ensure only approved software is present, and provide an auditable trail for approvals and remediation—keeping systems safer while supporting legitimate business needs.
