SC-34: Non-Modifiable Executable Programs
Control Family:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
N/A
- High
N/A
Next Version:
- NIST Special Publication 800-53 Revision 5:
- SC-34: Non-modifiable Executable Programs
Control Statement
The information system at [Assignment: organization-defined information system components]:
- Loads and executes the operating environment from hardware-enforced, read-only media; and
- Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media.
Supplemental Guidance
The term operating environment is defined as the specific code that hosts applications, for example, operating systems, executives, or monitors including virtual machine monitors (i.e., hypervisors). It can also include certain applications running directly on hardware platforms. Hardware-enforced, read-only media include, for example, Compact Disk-Recordable (CD-R)/Digital Video Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable read-only memory can be accepted as read-only media provided: (i) integrity can be adequately protected from the point of initial writing to the insertion of the memory into the information system; and (ii) there are reliable hardware protections against reprogramming the memory while installed in organizational information systems.
Control Enhancements
SC-34(1): No Writable Storage
Baseline(s):
The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off.
SC-34(2): Integrity Protection / Read-Only Media
Baseline(s):
The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media.
SC-34(3): Hardware-Based Protection
Baseline(s):
The organization: Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.