CCI-001749

The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to prevent the installation of software onto any software components when the vendor provides digitally signed products without verification that software has been digitally signed using a certificate and approved by the organization. DoD has defined the software components as any software components when the vendor provides digitally signed products.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process for preventing the installation of software onto any software components when the vendor provides digitally signed products without verification that software has been digitally signed using a certificate and approved by the organization. The organization conducting the inspection/assessment reviews software on a sampling of the defined components to ensure that only software digitally signed by a defined CA is installed. DoD has defined the software components as any software components when the vendor provides digitally signed products.

Compelling Evidence

1.) Signed and dated configuration management policy, which documents a process to prevent the installation of software onto any software components when the vendor provides digitally signed products without verification that software has been digitally signed using a certificate and approved by the organization 2.) Sampling of the defined components

The controls below (if any) were marked by NIST as being related to CCI-001749.