Overview:
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
Supplemental Guidance:
Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.
Related control: CM-7, SC-13, SI-7
Action Items:
1) Ensure information systems prevents installation of non-signed software components
Related Documents:
1) Secure Systems Configuration Policy
2) Change Management Policy
Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
CM-5 (3) Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.
Moderate Additional FedRAMP Requirements and Guidance
none
Article ID: 650
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/signed-components-cm-5-3-650.html