Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement allows organizations to detect unauthorized changes to software and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. Integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components. Related control: SI-7.
NIST 800-53 (r5) Discussion:
Software and firmware integrity verification allows organizations to detect unauthorized changes to software and firmware components using developer-provided tools, techniques, and mechanisms. The integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components.
38North Guidance:
Meets Minimum Requirement:
Ensure software/firmware updates are provided by the vendor.
Establish a list of trusted sources for the latest software/firmware versions.
Best Practice:
None.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Evidence of scripts used by the operations teams that show integrity checks and the frequency at which they are executed.
A list of Trusted sources (e.g., vendors) that are used by the organization to verify and validate the latest software and firmware versions.
Sample of artifacts demonstrating that approved checksums, hash algorithms, or other technical integrity checks are being employed during development.
CSP Implementation Tips:
None
Page updated
Report abuse