Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
CM-5 (3) Additional FedRAMP Requirements and Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.
NIST 800-53 (r4) Supplemental Guidance:
Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7.
NIST 800-53 (r5) Discussion:
Withdrawn: Moved to CM-14.
38North Guidance:
Meets Minimum Requirement:
Ensure all changes to systems go through a formal approval process. Digital signatures must be employed for third party applications that are not internal to the organization.
Prohibit the installation of unsigned vendor-provided software patches, updates, and new releases, without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. Patches should be checked and validated to ensure signatures are present prior to deployment into the information system. If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be used.
Best Practice:
Implement a solution for software whitelisting on servers, this is also required by CM-7(2).
Digitally sign and validate container and Virtual Machine images before deploying to a Production environment.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Configuration showing that the organization verifies cryptographic signatures on all third‐party packages installed onto the system
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse