Only the capabilities you actually need.
CM-7 (least functionality) is the NIST 800-53 control that says a system should be configured to provide only its essential capabilities, and to disable or restrict the services, ports, and functions it does not need. Every unnecessary capability is attack surface. And attack surface is added in code: a package installed, a service enabled, a port opened, a feature flag left on.
The shapes the same control failure takes.
Least functionality erodes whenever a change adds a capability the system does not need to do its job. The recurring shapes:
An unnecessary service is added
A daemon or agent the application does not need (an SSH server, a stray sidecar) is installed and run, adding a service and a port to every instance.
A management or debug interface is exposed
An admin console, profiler, or debug endpoint is reachable in production, giving an attacker a powerful surface to aim at.
A disabled port or protocol is reopened
A port or an old protocol that had been turned off is enabled again for convenience, widening what can be reached.
A development-only feature is left on
A seed route, sample data endpoint, or verbose mode meant for development ships enabled in production.
A broad default is left in place
An insecure-but-convenient default (directory listing, a wildcard host allowlist) is left on rather than narrowed to what is needed.
An SSH server baked into a container image.
Engineers want to shell into containers to debug, so the image installs an SSH server and starts it on boot. It works, and now every running container runs an sshd it does not need: a service listening for connections across the whole fleet, for occasional convenience.
FROM python:3.12-slim+ RUN apt-get update && apt-get install -y openssh-serverCOPY . /app- CMD ["python", "app.py"]+ CMD service ssh start && python app.pyInstalling and starting an SSH server makes every container run a service it does not need, listening for connections and widening the attack surface of the whole fleet. CM-7 (least functionality) expects a system to provide only essential capabilities and to disable unnecessary services. Use the platform's exec (kubectl exec, docker exec) to get a shell when you need one, rather than baking an sshd into the image.
Least functionality is checked against what is actually running.
An assessment under NIST 800-53 looks at whether a system runs only what it needs: the services, ports, and functions that are enabled, and whether the unnecessary ones are disabled or restricted. A change that added a service, exposed a management interface, or reopened a port is the concrete expansion of attack surface behind that, and it is visible in the diff to the image, manifest, or config.
A review, not a hardening pipeline.
heygrc flags changes that touch CM-7 and cites the control so the fix happens in the pull request. It does not run your benchmark scans or your hardening automation. It catches the moment a change adds a capability the system does not need, at the diff. heygrc is in early access.