Systems provide only the essential capabilities — nothing extra.
What it actually means
Every extra feature, service, or app is attack surface. Configure systems to do only what they need to do — disable the rest. A web server doesn't need a mail service running; a CUI workstation doesn't need games and torrent clients.
Pass or fail — an assessor needs a "yes" to each
- Systems are configured to essential capabilities only.
- Nonessential features/services are disabled.
- This is part of the baseline and maintained.
What to have ready
- Baseline showing disabled/removed nonessential functions
- Build/hardening checklist
Where teams trip up
- Default installs with everything enabled
- Unused roles/services left running
- No standard for what 'essential' means
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →