SI-7: Software, Firmware, And Information Integrity

The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].

The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.

The organization employs centrally managed integrity verification tools.

The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered.

The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability.

The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].

The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].

The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices].

The organization requires that [Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges.

The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution.

The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles].

The organization: Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.

The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.

The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period].