Control Description Data Protection Classification
Level 1 Level 2 Level 3 Level 4
CM-4 Analyze the security impact of changes prior to implementation. essential essential essential essential
CM-7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. essential recommended essential essential
CM-8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. recommended recommended required essential