| Control ID |
Control Description | Data Protection Classification | ||||||
| Level 1 | Level 2 | Level 3 | Level 4 | |||||
| CM-4 | Analyze the security impact of changes prior to implementation. | essential | essential | essential | essential | |||
| CM-7 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | essential | recommended | essential | essential | |||
| CM-8 | Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. | recommended | recommended | required | essential | |||