800-53 identifies CM-7(5) as "LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE — ALLOW-BY-EXCEPTION". It describes a least functionality whitelisting policy required in systems applying the "high" security baseline. In 800-161 (page 91), a remote access control enhancement is cited:

(5) REMOTE ACCESS | PROTECTION OF MECHANISM INFORMATION Supplemental C-SCRM Guidance: The enterprise should obtain binary or machine-executable code directly from the OEM/developer or other acceptable, verified source. Level(s): 3

I'm not familiar with controls where enhancements are listed from other control families. Can someone help me understand whether this is an error or if it is stating that where whitelisting is used as part of a least functionality control in a C-SCRM context, the software should come from a verified source.