Navigate

SI-7

SI-7: Software, Firmware, and Information Integrity

a: Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [one of ] ; and

b: Take the following actions when unauthorized changes to the software, firmware, and information are detected: [one of ].

Supplemental

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications.

CIA Levels
Confidentiality	unknown
Integrity	moderate
Availability	unknown

Overlays
DAF Baseline, Int-A, Int-B, Int-C, Privacy (high), Privacy (moderate)

CSF Categories
PR.DS-6

Related Controls

The controls below (if any) were marked by NIST as being related to SI-7.

Control	Description
AC-4	Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [information flow control policies within the system and between connected systems are defined;].
CM-3	a: Determine and document the types of changes to the system that are configuration-controlled; b: Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c: Document configuration change decisions associated with the system; d: Implement approved configuration-controlled changes to the system; e: Retain records of configuration-controlled changes to the system for [the time period to retain records of configuration-controlled changes is defined;]; f: Monitor and review activities associated with configuration-controlled changes to the system; and g: Coordinate and provide oversight for configuration change control activities through [the configuration change control element responsible for coordinating and overseeing change control activities is defined;] that convenes [one or more of "{{ insert: param, cm-03_odp.04 }} "/"when {{ insert: param, cm-03_odp.05 }} "].
CM-7	a: Configure the system to provide only [mission-essential capabilities for the system are defined;] ; and b: Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [one of ].
CM-8	a: Develop and document an inventory of system components that: 1: Accurately reflects the system; 2: Includes all components within the system; 3: Does not include duplicate accounting of components or components assigned to any other system; 4: Is at the level of granularity deemed necessary for tracking and reporting; and 5: Includes the following information to achieve system component accountability: [information deemed necessary to achieve effective system component accountability is defined;] ; and b: Review and update the system component inventory [frequency at which to review and update the system component inventory is defined;].
MA-3	a: Approve, control, and monitor the use of system maintenance tools; and b: Review previously approved system maintenance tools [frequency at which to review previously approved system maintenance tools is defined;].
MA-4	a: Approve and monitor nonlocal maintenance and diagnostic activities; b: Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c: Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d: Maintain records for nonlocal maintenance and diagnostic activities; and e: Terminate session and network connections when nonlocal maintenance is completed.
RA-5	a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported; b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyze vulnerability scan reports and results from vulnerability monitoring; d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk; e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
SA-8	Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [one of ].
SA-9	a: Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [controls to be employed by external system service providers are defined;]; b: Define and document organizational oversight and user roles and responsibilities with regard to external system services; and c: Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [processes, methods, and techniques employed to monitor control compliance by external service providers are defined;].
SA-10	Require the developer of the system, system component, or system service to: a: Perform configuration management during system, component, or service [one or more of "design"/"development"/"implementation"/"operation"/"disposal"]; b: Document, manage, and control the integrity of changes to [configuration items under configuration management are defined;]; c: Implement only organization-approved changes to the system, component, or service; d: Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and e: Track security flaws and flaw resolution within the system, component, or service and report findings to [personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;].
SC-8	Protect the [one or more of "confidentiality"/"integrity"] of transmitted information.
SC-12	Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [requirements for key generation, distribution, storage, access, and destruction are defined;].
SC-13	a: Determine the [cryptographic uses are defined;] ; and b: Implement the following types of cryptography required for each specified cryptographic use: [types of cryptography for each specified cryptographic use are defined;].
SC-28	Protect the [one or more of "confidentiality"/"integrity"] of the following information at rest: [information at rest requiring protection is defined;].
SC-37	Employ the following out-of-band channels for the physical delivery or electronic transmission of [information, system components, or devices to employ out-of-band-channels for physical delivery or electronic transmission are defined;] to [individuals or systems to which physical delivery or electronic transmission of information, system components, or devices is to be achieved via the employment of out-of-band channels are defined;]: [out-of-band channels to be employed for the physical delivery or electronic transmission of information, system components, or devices to individuals or the system are defined;].
SI-3	a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c: Configure malicious code protection mechanisms to: 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
SR-3	a: Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;] in coordination with [supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;]; b: Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;] ; and c: Document the selected and implemented supply chain processes and controls in [one or more of "security and privacy plans"/"supply chain risk management plan"/"{{ insert: param, sr-03_odp.05 }} "].
SR-4	Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [systems, system components, and associated data that require valid provenance are defined;].
SR-5	Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;].
SR-6	Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;].
SR-9	Implement a tamper protection program for the system, system component, or system service.
SR-10	Inspect the following systems or system components [one or more of "at random"/"at {{ insert: param, sr-10_odp.03 }} "/"upon {{ insert: param, sr-10_odp.04 }} "] to detect tampering: [systems or system components that require inspection are defined;].
SR-11	a: Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and b: Report counterfeit system components to [one or more of "source of counterfeit component"/"{{ insert: param, sr-11_odp.02 }} "/"{{ insert: param, sr-11_odp.03 }} "].

Enhancements

The controls below (if any) add on to the requirements of SI-7.

Control	Description
SI-7(1)	Perform an integrity check of [one of ] [one or more of "at startup"/"at {{ insert: param, si-7.1_prm_3 }} "/"{{ insert: param, si-7.1_prm_4 }} "].
SI-7(2)	Employ automated tools that provide notification to [personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined;] upon discovering discrepancies during integrity verification.
SI-7(3)	Employ centrally managed integrity verification tools.
SI-7(4)
SI-7(5)	Automatically [one or more of "shut down the system"/"restart the system"/"implement {{ insert: param, si-07.05_odp.02 }} "] when integrity violations are discovered.
SI-7(6)	Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.
SI-7(7)	Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [security-relevant changes to the system are defined;].
SI-7(8)	Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [one or more of "generate an audit record"/"alert current user"/"alert {{ insert: param, si-07.08_odp.02 }} "/"{{ insert: param, si-07.08_odp.03 }} "].
SI-7(9)	Verify the integrity of the boot process of the following system components: [system components requiring integrity verification of the boot process are defined;].
SI-7(10)	Implement the following mechanisms to protect the integrity of boot firmware in [system components requiring mechanisms to protect the integrity of boot firmware are defined;]: [mechanisms to be implemented to protect the integrity of boot firmware in system components are defined;].
SI-7(11)
SI-7(12)	Require that the integrity of the following user-installed software be verified prior to execution: [user-installed software requiring integrity verification prior to execution is defined;].
SI-7(13)
SI-7(14)
SI-7(15)	Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;].
SI-7(16)	Prohibit processes from executing without supervision for more than [the maximum time period permitted for processes to execute without supervision is defined;].
SI-7(17)	Implement [controls to be implemented for application self-protection at runtime are defined;] for application self-protection at runtime.

Related CCIs

The CCIs below are tied to SI-7.

CCI	Definition
CCI-002703	Defines the software, firmware, and information which will be subjected to integrity verification tools to detect unauthorized changes.
CCI-002704	Employ integrity verification tools to detect unauthorized changes to organization-defined software, firmware, and information.
CCI-004996	Take organization-defined actions when unauthorized changes to the software, firmware, and information are detected.
CCI-004997	Defines the actions to be taken when unauthorized changes to the software, firmware, and information are detected.