Title

Applications must prevent the installation of organization-defined critical software programs not signed with a certificate that has been recognized and approved by the organization. (Cat II impact)

Discussion

Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, software defined by the organization as critical software may be signed with a certificate recognized and approved by the organization. Examples of critical software programs and/or modules include, for example, patches, service packs, software libraries and where applicable, device drivers. Rationale for non-applicability: This control is required in the MOS SRG. The operating system must control the installation of software to protect itself and other applications. Application enforcement mechanisms are vulnerable to breach by OS privileged processes.

Check Content

This requirement is NA for the MAPP SRG.

Fix Text

The requirement is NA. No fix is required.

Additional Identifiers

Rule ID: SV-46661r1_rule

Vulnerability ID: V-35374

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.