- Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and
- Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.
This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations.