SI-7: Software, Firmware, and Information Integrity

Control Family:

System and Information Integrity

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Baselines:

Previous Version:

Control Statement

  1. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and
  2. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions].

Supplemental Guidance

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms-including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools-can automatically monitor the integrity of systems and hosted applications.

Control Enhancements

SI-7(1): Integrity Checks

Baseline(s):

  • Moderate
  • High

Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Assignment (one or more): at startup, at [Assignment: organization-defined transitional states or security-relevant events] , [Assignment: organization-defined frequency] ].

SI-7(6): Cryptographic Protection

Baseline(s):

(Not part of any baseline)

Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

SI-7(7): Integration of Detection and Response

Baseline(s):

  • Moderate
  • High

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system].

SI-7(8): Auditing Capability for Significant Events

Baseline(s):

(Not part of any baseline)

Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Assignment (one or more): generate an audit record, alert current user, alert [Assignment: organization-defined personnel or roles] , [Assignment: organization-defined other actions] ].

SI-7(9): Verify Boot Process

Baseline(s):

(Not part of any baseline)

Verify the integrity of the boot process of the following system components: [Assignment: organization-defined system components].

SI-7(10): Protection of Boot Firmware

Baseline(s):

(Not part of any baseline)

Implement the following mechanisms to protect the integrity of boot firmware in [Assignment: organization-defined system components]: [Assignment: organization-defined mechanisms].

SI-7(12): Integrity Verification

Baseline(s):

(Not part of any baseline)

Require that the integrity of the following user-installed software be verified prior to execution: [Assignment: organization-defined user-installed software].

SI-7(15): Code Authentication

Baseline(s):

  • High

Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [Assignment: organization-defined software or firmware components].

Related Controls

NIST Special Publication 800-53 Revision 5

Cloud Controls Matrix v3.0.1

Critical Security Controls Version 8