CMMCDocs.comHome / Glossary / Least Functionality
Least Functionality
Also known as: Principle of least functionality
The cybersecurity principle that systems should provide only essential functionality and disable nonessential capabilities. Required by CM.L2-3.4.6.
Least functionality is the principle that systems should be configured to provide only the capabilities essential for their intended function, with all nonessential features, services, ports, and protocols disabled. It reduces attack surface and is required by NIST SP 800-171 CM.L2-3.4.6.
In practice, least functionality means turning off unused services, blocking unused network ports, removing unnecessary software, disabling unused protocols, and applying hardening guides (CIS Benchmarks, DISA STIGs) to in-scope systems.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account