SI-07 Software, Firmware, and Information Integrity
a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: si-7_prm_1 ; and
b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: si-7_prm_2.
| Parameter ID | Definition |
|---|---|
| si-7_prm_1 | organization-defined software, firmware, and information |
| si-7_prm_2 | organization-defined actions |
| si-07_odp.01 | software |
| si-07_odp.02 | firmware |
| si-07_odp.03 | information |
| si-07_odp.04 | actions |
| si-07_odp.05 | actions |
| si-07_odp.06 | actions |
Baselines
- L
- M
- H
- P
Guidance
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications.
References 7
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
- FIPS 180-4 National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4.
- FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
- FIPS 202 National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202.
- SP 800-70 Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4.
- SP 800-147 Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147.
Control Enhancements 17
- SI-07(01) Integrity Checks L M H P
- SI-07(02) Automated Notifications of Integrity Violations L M H P
- SI-07(03) Centrally Managed Integrity Tools L M H P
- SI-07(04) Tamper-evident Packaging
- SI-07(05) Automated Response to Integrity Violations L M H P
- SI-07(06) Cryptographic Protection L M H P
- SI-07(07) Integration of Detection and Response L M H P
- SI-07(08) Auditing Capability for Significant Events L M H P
- SI-07(09) Verify Boot Process L M H P
- SI-07(10) Protection of Boot Firmware L M H P
- SI-07(11) Confined Environments with Limited Privileges
- SI-07(12) Integrity Verification L M H P
- SI-07(13) Code Execution in Protected Environments
- SI-07(14) Binary or Machine Executable Code
- SI-07(15) Code Authentication L M H P
- SI-07(16) Time Limit on Process Execution Without Supervision L M H P
- SI-07(17) Runtime Application Self-protection L M H P
Related controls 23
- AC-04 Information Flow Enforcement L M H P
- CM-03 Configuration Change Control L M H P
- CM-07 Least Functionality L M H P
- CM-08 System Component Inventory L M H P
- MA-03 Maintenance Tools L M H P
- MA-04 Nonlocal Maintenance L M H P
- RA-05 Vulnerability Monitoring and Scanning L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-09 External System Services L M H P
- SA-10 Developer Configuration Management L M H P
- SC-08 Transmission Confidentiality and Integrity L M H P
- SC-12 Cryptographic Key Establishment and Management L M H P
- SC-13 Cryptographic Protection L M H P
- SC-28 Protection of Information at Rest L M H P
- SC-37 Out-of-band Channels L M H P
- SI-03 Malicious Code Protection L M H P
- SR-03 Supply Chain Controls and Processes L M H P
- SR-04 Provenance L M H P
- SR-05 Acquisition Strategies, Tools, and Methods L M H P
- SR-06 Supplier Assessments and Reviews L M H P
- SR-09 Tamper Resistance and Detection L M H P
- SR-10 Inspection of Systems or Components L M H P
- SR-11 Component Authenticity L M H P