This post explains how to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control CM.L2-3.4.7—restricting or disabling nonessential programs, functions, ports, protocols, and services—by providing concrete, actionable steps for AWS, Azure, and GCP with small-business examples, compliance tips, and technical specifics you can implement now.
Understanding CM.L2-3.4.7 and the compliance objective
CM.L2-3.4.7 requires organizations to minimize attack surface by ensuring only essential services and network pathways are enabled on systems that process, store, or transmit Controlled Unclassified Information (CUI). Practically this means implementing default-deny network policies, removing or disabling unnecessary OS services and daemons, hardening images, and enforcing these restrictions across workloads with automated checks so the environment remains compliant over time.
Practical steps for AWS
AWS - network and perimeter controls
Start with Security Groups and VPC design: apply "deny by omission"—create Security Groups that only allow specific inbound ports (for example, TCP 443 on the web tier) and deny everything else. Avoid opening SSH (TCP 22) to 0.0.0.0/0; instead use AWS Systems Manager Session Manager for interactive access. Use Network ACLs for an additional stateless layer and enforce organization-wide common-port restrictions with an AWS Config managed rule like restricted-common-ports or custom AWS Config rules. For centralized enforcement, deploy AWS Network Firewall or AWS Firewall Manager to ensure consistent rules across accounts.
AWS - host and workload hardening
Use Amazon Machine Images (AMIs) that are hardened to CIS benchmarks and automate patching with AWS Systems Manager Patch Manager and State Manager. Remove or disable unnecessary services via SSM Run Command or SSM State Manager (for example, disable unused daemons with systemctl disable
Practical steps for Azure
Azure - network controls and policies
Use Network Security Groups (NSGs) to restrict inbound traffic and apply explicit deny for everything not required. Set rule priorities carefully (lower numbers = higher priority) and document allowed ports. Replace direct RDP/SSH access with Azure Bastion or Just-In-Time VM access (part of Microsoft Defender for Cloud). Enforce baseline network rules via Azure Policy (built-in definitions such as "Audit open inbound ports" or custom policies that deny NSGs with wide-open ports). For centralized filtering use Azure Firewall and Azure Front Door/WAF for internet-exposed services.
Azure - configuration automation and host hardening
Apply Azure Blueprints or ARM/Bicep templates that include hardened VM extensions and Disable-Unnecessary-Services scripts. Use Azure Update Management for patching and Azure Policy initiatives to require specific VM extensions (like Log Analytics agent) and configuration states. Use Microsoft Defender recommendations to identify unnecessary services running on VMs. Example for a small business: deploy AKS or App Service where possible (managed platform means fewer OS services to manage), and for any IaaS VMs, automate removal of unused packages and run baseline checks via Azure Automation Desired State Configuration.
Practical steps for GCP
GCP - network and identity controls
Implement a default-deny model with VPC firewall rules that only allow required ports and use targetTags/service accounts to scope rules precisely. Avoid leaving the default allow-icmp/ssh/rdp rules enabled. Use Identity-Aware Proxy (IAP) and OS Login for secure administrative access instead of opening SSH to the internet. Use Firewall Policies at the organization level to enforce common-port restrictions and set appropriate priorities so broad denies supersede accidental allows.
GCP - workload and container hardening
For GKE, enable private clusters, use NetworkPolicy (Calico) to restrict pod-to-pod communication, and enforce Binary Authorization to ensure only signed images run. Use Container Registry vulnerability scanning or Artifact Registry scanning and automate image rebuilds. For VM instances, use OS Config for patch management and startup scripts to disable unnecessary services. Small-business example: a single GKE cluster hosting a CUI-handling app—use an internal load balancer, expose only TCP 443, lock down node pools with private node IPs, and apply a NetworkPolicy that allows only frontend to backend traffic and blocks all else.
Containers, images, and host-level specifics
Across all clouds, minimize base images, remove language runtimes or packages not required, and drop capabilities in containers (use cap_drop or Kubernetes securityContext). Use CIS Benchmarks for OS and Kubernetes hardening. Implement runtime monitoring (e.g., Falco, Amazon Inspector, Azure Defender for Containers) to detect services started at runtime that violate the baseline. Enforce image provenance with signed images and immutable registries so accidental inclusion of vulnerable services is prevented.
Automation, monitoring, and remediation
Make compliance continuous: codify permitted ports/services in IaC (Terraform, ARM/Bicep, Deployment Manager) and scan with tfsec/Checkov/SonarQube. Use policy-as-code: AWS Config rules, Azure Policy, and OPA/Gatekeeper in Kubernetes. Enable logging (AWS CloudTrail and VPC Flow Logs, Azure Activity Log and NSG Flow Logs, GCP Audit Logs and VPC Flow Logs) and forward to a SIEM or cloud-native security center with alerting for violations. Automate remediation with Lambda/Functions/Automation runbooks to close or quarantine noncompliant resources.
Risk of not implementing CM.L2-3.4.7
Failing to restrict nonessential ports, services, and protocols dramatically increases attack surface, enabling easy initial access (open RDP/SSH), lateral movement, and data exfiltration—especially critical where CUI resides. For organizations under DoD contracts, noncompliance can result in lost contracts, remediation costs, reputational damage, and potential regulatory penalties. Operationally, unmanaged services cause drift that makes incident response and forensic analysis far harder.
Compliance tips and best practices
Maintain an up-to-date inventory of services and network openings tied to each workload and CUI boundary. Use least-privilege access patterns, remove management ports from internet-facing rules, prefer managed platform services where practical, and include security checks in CI/CD pipelines. For small businesses: centralize access via bastion/JIT/SSM, document exceptions (who approved and why), and schedule monthly automated scans plus quarterly manual reviews. Keep evidence—config rules, policies, and automated remediation logs—for audits and assessments.
Summary: CM.L2-3.4.7 is about reducing attack surface by denying everything by default and allowing only what is necessary; you can meet this requirement by combining network-layer default-deny controls, host- and image-hardening, container policies, automated compliance checks, and continuous monitoring—applied via AWS Security Groups/Config, Azure NSGs/Policy, and GCP Firewall Policies/OS Config—so your cloud workloads remain secure, auditable, and compliant.
