CCI-003993
CCI-003993 Definition
| Status | |
| Type | CheckType.technical |
Master Assessment Datasheet
Implementation Guidance
Determine if: - the installation of [CM-14_ODP[01]; software components requiring verification of a digitally signed certificate before installation are defined] is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization. - the installation of [CM-14_ODP[02]; firmware components requiring verification of a digitally signed certificate before installation are defined] is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.
Validation Procedures
Examine: [SELECT FROM: Configuration management policy; procedures addressing digitally signed certificates for software and firmware components; configuration management plan; system security plan; system design documentation; change control records; system component inventory; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for verifying digitally signed certificates for software and firmware component installation; organizational personnel with information security responsibilities; system/network administrators; system developers]. Test: [SELECT FROM: Organizational processes governing information location; mechanisms enforcing policies and methods for governing information location; automated tools supporting or implementing digitally signatures for software and firmware components; automated tools supporting or implementing verification of digital signatures for software and firmware component installation].