Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and
(b) Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement applies to all sources of binary or machine- executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations. Related control: SA-5.
NIST 800-53 (r5) Discussion:
[Withdrawn: Moved to CM-7(8).]
38North Guidance:
Meets Minimum Requirement:
Prohibit the use of commercial software/firmware and open source software with limited or no warranty and without the provision of source code. Exceptions to the source code requirement only may be provided for compelling mission/operational requirements and with the approval of the FedRAMP authorizing official (AO) or JAB.
Expect applicable firmware and software to be cryptographically signed by the component manufacturer or developer to ensure the CSP can perform component integrity checks and verify the component deployed in the information system is the same component type the component manufacturer or developer evaluated and certified.
Monitor whether unauthorized software or components have been installed within the information system (e.g., whitelisting). In the event unauthorized software is detected or identified, CSP should initiate the incident response process to address and remediate.
All software installed and executed in the information system should go through the change management process and be approved by the CCB (CM-3) prior to being deployed. Once approved, only authorized personnel with proper privileges should be permitted install software.
Best Practice: None
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Information system documentation including administrator guides
Evidence of continuous monitoring for unauthorized software or components (e.g., whitelisting).
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse