You allow only approved software (or block known-bad) — by policy and tooling.
What it actually means
You control what software executes — either by blocking unauthorized software (deny-by-exception) or, better, allowing only approved software (allowlisting / deny-all-permit-by-exception). Application control (AppLocker, WDAC, or an EDR feature) is how this is enforced.
Pass or fail — an assessor needs a "yes" to each
- A software-execution policy exists (allowlist preferred, or blocklist).
- It's enforced with tooling (AppLocker/WDAC/EDR), not just policy.
- Unauthorized software is actually prevented from running.
What to have ready
- Application-control configuration (AppLocker/WDAC/EDR)
- Allowlist or blocklist policy
- Test/enforcement evidence
Where teams trip up
- Policy on paper with no enforcement
- Users free to install and run anything
- Allowlist defined but in audit-only mode
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →