CCI-001750

The information system prevents the installation of organization-defined firmware components without verification the firmware component has been digitally signed using a certificate that is recognized and approved by the organization.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to prevent the installation of firmware onto any firmware components when the vendor provides digitally signed products without verification that firmware has been digitally signed using a certificate and approved by the organization. DoD has defined the critical firmware components as any firmware components when the vendor provides digitally signed products.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process for preventing the installation of firmware onto any firmware components when the vendor provides digitally signed products without verification that firmware has been digitally signed using a certificate and approved by the organization. The organization conducting the inspection/assessment reviews firmware on a sampling of the defined components to ensure that only firmware digitally signed by a defined CA is installed.

Compelling Evidence

1.) Signed and dated configuration management policy, which documents a process to prevent the installation of firmware onto any firmware components when the vendor provides digitally signed products without verification that firmware has been digitally signed using a certificate and approved by the organization 2.) Sampling of the defined components

The controls below (if any) were marked by NIST as being related to CCI-001750.