3.4.8 — Whitelist or Blacklist Software

The One-Liner

Can you tell the assessor exactly which applications are approved to run on your CUI systems — and prove unauthorized ones are blocked?

What It Says

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

What It Actually Means

You must choose an application control approach, document it, and enforce it technically:

Whitelisting (deny-all, permit-by-exception) — nothing runs unless it’s on the approved list. This is the stronger approach. Only explicitly authorized software executes. An unknown executable is blocked by default. Tools: Windows Defender Application Control (WDAC), AppLocker, or third-party application control.

Blacklisting (deny-by-exception) — everything runs unless it’s on the blocked list. This is the minimum acceptable approach. Known-bad software is blocked — antivirus/EDR handles some of this, but you also need a defined list of unauthorized software categories (hacking tools, remote access tools, cryptocurrency miners, peer-to-peer software). Everything not on the block list can still execute.

Three things the assessor checks:

1. Policy choice is documented. You’ve decided and documented whether you’re using whitelisting or blacklisting (or a combination). The assessor expects whitelisting for CUI systems when feasible.

2. The allowed or blocked software is specified. You have a defined list — either the whitelist of approved software or the blacklist of prohibited software. Not vague categories but specific executables, publishers, or hash values.

3. The policy is technically implemented. The control is actually enforced, not just documented. The assessor will try to run an unauthorized executable and expect it to be blocked (whitelisting) or will check that known-bad categories are blocked (blacklisting).

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is the whitelisting or blacklisting policy specified?	Documented policy decision — which approach and why
2	Is the allowed or blocked software specified?	Defined list of authorized software (whitelist) or prohibited software (blacklist)
3	Is the policy technically implemented?	WDAC, AppLocker, or equivalent actively enforcing the policy — demonstrate with a blocked execution attempt

---

What to Have Ready on Assessment Day

Documents they’ll review: Configuration management policy; procedures addressing application control; system security plan; list of authorized or unauthorized software; system configuration settings showing application control is enabled; security configuration checklists; review records for the software list

People they’ll talk to: Personnel responsible for identifying authorized or unauthorized software; information security personnel; system or network administrators

Live demos they’ll ask for: “Show me your application control configuration.” “Try to run an unauthorized application — show me it’s blocked.” “Show me your approved software list.” “How do you add new software to the approved list?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Are you using whitelisting, blacklisting, or a combination? Show me the policy.”
• “Show me the list of authorized software for a CUI workstation.”
• “Is the system configured to only allow authorized software? Demonstrate.”
• “Try to run an unauthorized executable — what happens?”
• “How do you add new software to the approved list? What’s the process?”
• “Are automated mechanisms used to enforce your application control policy?”
• “Is there a defined list of software programs authorized to execute?”

Real-World Example

A defense contractor implements WDAC (Windows Defender Application Control) on all CUI workstations using a whitelisting approach. The base policy allows: Windows binaries signed by Microsoft, Microsoft 365 apps, the VPN client, approved engineering software (signed by the publisher), and the Defender for Endpoint agent. A supplemental policy adds three line-of-business applications by publisher certificate. Any executable not covered by the policy is blocked. New software requests go through the change management process: the IT Security Lead evaluates the software, adds the publisher certificate or hash to the supplemental policy, tests on a staging workstation, and deploys via Intune. On CUI servers, AppLocker restricts execution to a defined set of server binaries plus approved management tools. The assessor downloads a benign test executable to a CUI workstation — WDAC blocks execution with an event log entry. The assessor reviews the WDAC policy XML and the Intune deployment configuration.

---

Where Companies Trip Up

No application control at all. Users can run any software. The assessor downloads a test executable and it runs. Deploy at minimum a blacklist approach via endpoint protection; whitelisting is preferred for CUI systems.

Blacklist is just antivirus. AV blocks known malware but not unauthorized legitimate software. A user downloads a remote access tool or a cryptocurrency miner and AV doesn’t flag it because it’s not technically malware. A blacklist must include categories of unauthorized software beyond just known malware signatures.

Whitelist too broad. The whitelist allows “any Microsoft-signed binary” without further restriction — which includes developer tools, debugging utilities, and other software that shouldn’t be on a CUI workstation. Tailor the whitelist to what each system type actually needs.

No process for adding software. Application control is deployed but when a user needs new software, there’s no defined process to add it. This leads to either the control being bypassed or users being blocked from legitimate work. Define a software request and approval workflow.

---

How to Talk About This

To a CEO or Board

We control exactly which software runs on CUI systems. We use a whitelist approach — only explicitly approved applications execute. Unknown or unauthorized software is automatically blocked. New software goes through a formal approval process before it’s added.

To an Engineering Team

WDAC on workstations (whitelist): Microsoft-signed OS binaries + approved apps by publisher cert. AppLocker on servers: restricted execution policy. New software: change request → IT Security Lead evaluation → publisher cert or hash added to supplemental policy → staged test → Intune deployment. Blacklist supplement: EDR blocks known-bad + policy blocks unauthorized categories (RATs, P2P, crypto miners). Quarterly review of approved software list.

---

Connected Requirements

Requirement	Why it matters here
3.4.7 — Block What’s Not Needed	Application control is the mechanism for blocking nonessential programs
3.4.9 — No Unauthorized Software	Controls and monitors user-installed software — this requirement provides the enforcement
3.4.1 — Know Your Inventory	Software inventory feeds the approved software list
3.14.2 — Deploy Anti-Malware	AV/EDR complements application control — defense in depth

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: CM.L2-3.4.8 | SPRS Weight: 5 points | POA&M Eligible: No