CMMC Practices RM5152; Requirements and Documentation | ChatFortress

Posted on June 19, 2021 by Benjamin Bressington

CMMC Practices RM5152; Requirements and Documentation | ChatFortress
Back to Full CMMC & NIST800-171 Requirements List

CMMC Practice Requirement:

Risk Management - RM.5.152

Utilize an exception process for non-whitelisted software that includes mitigation techniques.

Risk Management - RM.5.152- Clarification Statement

This practice defines and implements an explicit risk reduction process in the recognition that some software will be installed as an exception to the whitelist policy. Standard software packages that an organization trusts can easily be whitelisted based on risk and need for the organization. Once the whitelist is established, an organization needs to create a process that will allow software to be inspected and considered for operational use, even if only for a short period of time. If an operational need arises for a software package that adds too high of risk for the organization, the organization will need to decide if they will allow the software to run and under what circumstances. Mitigation strategies can be as extensive as only running software on a standalone system, or placing the software in a protected virtual machine with limited access to corporate assets. The list of acceptable mitigation strategies should be determined by the organization’s cyber professional. When a user requests the right to use software that is not whitelisted, the organization should use their documented exception process to determine whether or not they are going to allow non-standard software to be executed on endpoints. If the whitelist technology allows, an organization could associate exception software to a given asset on the enterprise. Another option could be placing the software inside a container and controlling what access it has on a system and on the enterprise.

Need more help understanding this CMMC & NIST800-171 requirement?

ChatFortress has made available a series of tools to help you implement CMMC & NIST800-171 into your company. Here are some of the resources you might want to review.

How to Implement a CMMC Audit/Assessment using CMMC Software Tool?

How can ChatFortress help you implement CMMC?


Are you worried that your company is vulnerable to ransomware?

The Business Cybersecurity System protects you against real-world threats while building your cybersecurity culture. Using the latest in breach and attack simulation our team can show you which ransomware and malware attacks would cripple your company regardless of the cybersecurity protections you already have in place!

Who is ChatFortress

ChatFortress is a leading cybersecurity company that helps small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.

Cybersecurity Resources

Talk to Us

Reduce your cybersecurity risk and exposure. Schedule time with your ChatFortress Specialist now
or Call 307-999-7755

Cybersecurity Education Links

Common Cybersecurity Mistakes and how you can protect yourself and your business from liability and financial loss! Instant Webinar Access!

Schedule Your Free Cybersecurity Risk Assessment Click Here to Schedule Call

Discover current hacker trends to steal your data and how you can protect yourself in 7 day FREE Email Cybersecurity crash course

Here are the 8 common types of email phishing attacks that hackers use to steal your identity. Are you protected?

Protect your business from hackersCrash Coursesmall business cybersecurity protectionHackerssmall business cybersecurity protection8typesofemailphishingscamssmall business cybersecurity protectionCMMC Compliance Check ListCybersecurity For Business