SC-34: Non-modifiable Executable Programs
Control Family:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
N/A
- High
N/A
- Privacy
N/A
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SC-34: Non-Modifiable Executable Programs
Control Statement
For [Assignment: organization-defined system components], load and execute:
- The operating environment from hardware-enforced, read-only media; and
- The following applications from hardware-enforced, read-only media: [Assignment: organization-defined applications].
Supplemental Guidance
The operating environment for a system contains the code that hosts applications, including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can also include certain applications that run directly on hardware platforms. Hardware-enforced, read-only media include Compact Disc-Recordable (CD-R) and Digital Versatile Disc-Recordable (DVD-R) disk drives as well as one-time, programmable, read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable, read-only memory can be accepted as read-only media provided that integrity can be adequately protected from the point of initial writing to the insertion of the memory into the system, and there are reliable hardware protections against reprogramming the memory while installed in organizational systems.
Control Enhancements
SC-34(1): No Writable Storage
Baseline(s):
Employ [Assignment: organization-defined system components] with no writeable storage that is persistent across component restart or power on/off.
SC-34(2): Integrity Protection on Read-only Media
Baseline(s):
Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media.