Navigate

SC-34(2)

SC-34(2): Integrity Protection on Read-only Media

Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media.

Supplemental

Controls prevent the substitution of media into systems or the reprogramming of programmable read-only media prior to installation into the systems. Integrity protection controls include a combination of prevention, detection, and response.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SC-34(2).

Control	Description
CM-3	a: Determine and document the types of changes to the system that are configuration-controlled; b: Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c: Document configuration change decisions associated with the system; d: Implement approved configuration-controlled changes to the system; e: Retain records of configuration-controlled changes to the system for [the time period to retain records of configuration-controlled changes is defined;]; f: Monitor and review activities associated with configuration-controlled changes to the system; and g: Coordinate and provide oversight for configuration change control activities through [the configuration change control element responsible for coordinating and overseeing change control activities is defined;] that convenes [one or more of "{{ insert: param, cm-03_odp.04 }} "/"when {{ insert: param, cm-03_odp.05 }} "].
CM-5	Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
CM-9	Develop, document, and implement a configuration management plan for the system that: a: Addresses roles, responsibilities, and configuration management processes and procedures; b: Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c: Defines the configuration items for the system and places the configuration items under configuration management; d: Is reviewed and approved by [personnel or roles to review and approve the configuration management plan is/are defined;] ; and e: Protects the configuration management plan from unauthorized disclosure and modification.
MP-2	Restrict access to [one of ] to [one of ].
MP-4	a: Physically control and securely store [one of ] within [one of ] ; and b: Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-5	a: Protect and control [types of system media to protect and control during transport outside of controlled areas are defined;] during transport outside of controlled areas using [one of ]; b: Maintain accountability for system media during transport outside of controlled areas; c: Document activities associated with the transport of system media; and d: Restrict the activities associated with the transport of system media to authorized personnel.
SC-28	Protect the [one or more of "confidentiality"/"integrity"] of the following information at rest: [information at rest requiring protection is defined;].
SI-3	a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c: Configure malicious code protection mechanisms to: 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

Enhancements

The controls below (if any) add on to the requirements of SC-34(2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SC-34(2).

CCI	Definition
CCI-001216	Protect the integrity of information prior to storage on read-only media.
CCI-002507	Control read-only media after information has been recorded onto the media.