SC-34: Non-modifiable Executable Programs

CSF v2.0 References:


  • Low


  • Moderate


  • High


  • Privacy


Previous Version:

Control Statement

For [Assignment: organization-defined system components], load and execute:

  1. The operating environment from hardware-enforced, read-only media; and
  2. The following applications from hardware-enforced, read-only media: [Assignment: organization-defined applications].

Supplemental Guidance

The operating environment for a system contains the code that hosts applications, including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can also include certain applications that run directly on hardware platforms. Hardware-enforced, read-only media include Compact Disc-Recordable (CD-R) and Digital Versatile Disc-Recordable (DVD-R) disk drives as well as one-time, programmable, read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable, read-only memory can be accepted as read-only media provided that integrity can be adequately protected from the point of initial writing to the insertion of the memory into the system, and there are reliable hardware protections against reprogramming the memory while installed in organizational systems.

Control Enhancements

SC-34(1): No Writable Storage


(Not part of any baseline)

Employ [Assignment: organization-defined system components] with no writeable storage that is persistent across component restart or power on/off.