CCI-000698

Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.

Implementation Guidance

The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service enable integrity verification of software and firmware components. The organization being inspected/assessed requires the developer to enable integrity verification of software and firmware that may include: 1. Stipulating and monitoring logical delivery of products and services, requiring downloading from approved, verification-enhanced sites; 2. Encrypting elements (software, software patches, etc) and supply chain process data in transit (motion) and at rest throughout delivery; 3. Requiring suppliers to provide their elements “secure by default”, so that additional configuration is required to make the element insecure; 4. Implementing software designs using programming languages and tools that reduce the likelihood of weaknesses; 5. Implementing cryptographic hash verification; and 6. Establishing performance and sub-element baseline for the system and system elements to help detect unauthorized tampering/modification during repairs/refurbishing.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service enable integrity verification of software and firmware components.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan must document developer integrity verification of software and firmware components.

The controls below (if any) were marked by NIST as being related to CCI-000698.