Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >Configuration Management
  4. >SP800-53-CM-7(5)
SP800-53-CM-7(5)Active

Authorized Software — Allow-by-exception

Statement

Identify software programs; Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and Review and update the list of authorized software programs frequency.

Location

Control Family
Configuration Management

Control Details

Identifier
SP800-53-CM-7(5)
Family
CM
Parent Control
SP800-53-CM-7

Organisation-Defined Parameters

cm-07.05_odp.01
software programs
cm-07.05_odp.02
frequency

Supplemental Guidance

Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in CA-3(5) and SC-7.

Assessment Objective

software programs are identified; a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed; the list of authorized software programs is reviewed and updated frequency.

No cross-framework mappings available

← Back to Configuration Management
Configuration Management66 controls
SP800-53-CM-1Policy and ProceduresSP800-53-CM-2Baseline ConfigurationSP800-53-CM-2(1)Reviews and UpdatesSP800-53-CM-2(2)Automation Support for Accuracy and CurrencySP800-53-CM-2(3)Retention of Previous ConfigurationsSP800-53-CM-2(4)Unauthorized SoftwareSP800-53-CM-2(5)Authorized SoftwareSP800-53-CM-2(6)Development and Test EnvironmentsSP800-53-CM-2(7)Configure Systems and Components for High-risk AreasSP800-53-CM-3Configuration Change ControlSP800-53-CM-3(1)Automated Documentation, Notification, and Prohibition of ChangesSP800-53-CM-3(2)Testing, Validation, and Documentation of ChangesSP800-53-CM-3(3)Automated Change ImplementationSP800-53-CM-3(4)Security and Privacy RepresentativesSP800-53-CM-3(5)Automated Security ResponseSP800-53-CM-3(6)Cryptography ManagementSP800-53-CM-3(7)Review System ChangesSP800-53-CM-3(8)Prevent or Restrict Configuration ChangesSP800-53-CM-4Impact AnalysesSP800-53-CM-4(1)Separate Test EnvironmentsSP800-53-CM-4(2)Verification of ControlsSP800-53-CM-5Access Restrictions for ChangeSP800-53-CM-5(1)Automated Access Enforcement and Audit RecordsSP800-53-CM-5(2)Review System ChangesSP800-53-CM-5(3)Signed ComponentsSP800-53-CM-5(4)Dual AuthorizationSP800-53-CM-5(5)Privilege Limitation for Production and OperationSP800-53-CM-5(6)Limit Library PrivilegesSP800-53-CM-5(7)Automatic Implementation of Security SafeguardsSP800-53-CM-6Configuration SettingsSP800-53-CM-6(1)Automated Management, Application, and VerificationSP800-53-CM-6(2)Respond to Unauthorized ChangesSP800-53-CM-6(3)Unauthorized Change DetectionSP800-53-CM-6(4)Conformance DemonstrationSP800-53-CM-7Least FunctionalitySP800-53-CM-7(1)Periodic ReviewSP800-53-CM-7(2)Prevent Program ExecutionSP800-53-CM-7(3)Registration ComplianceSP800-53-CM-7(4)Unauthorized Software — Deny-by-exceptionSP800-53-CM-7(5)Authorized Software — Allow-by-exceptionSP800-53-CM-7(6)Confined Environments with Limited PrivilegesSP800-53-CM-7(7)Code Execution in Protected EnvironmentsSP800-53-CM-7(8)Binary or Machine Executable CodeSP800-53-CM-7(9)Prohibiting The Use of Unauthorized HardwareSP800-53-CM-8System Component InventorySP800-53-CM-8(1)Updates During Installation and RemovalSP800-53-CM-8(2)Automated MaintenanceSP800-53-CM-8(3)Automated Unauthorized Component DetectionSP800-53-CM-8(4)Accountability InformationSP800-53-CM-8(5)No Duplicate Accounting of ComponentsSP800-53-CM-8(6)Assessed Configurations and Approved DeviationsSP800-53-CM-8(7)Centralized RepositorySP800-53-CM-8(8)Automated Location TrackingSP800-53-CM-8(9)Assignment of Components to SystemsSP800-53-CM-9Configuration Management PlanSP800-53-CM-9(1)Assignment of ResponsibilitySP800-53-CM-10Software Usage RestrictionsSP800-53-CM-10(1)Open-source SoftwareSP800-53-CM-11User-installed SoftwareSP800-53-CM-11(1)Alerts for Unauthorized InstallationsSP800-53-CM-11(2)Software Installation with Privileged StatusSP800-53-CM-11(3)Automated Enforcement and MonitoringSP800-53-CM-12Information LocationSP800-53-CM-12(1)Automated Tools to Support Information LocationSP800-53-CM-13Data Action MappingSP800-53-CM-14Signed Components