Device Class 3: Software, Firmware, And Information Integrity

Control ID: SI-7 Software, Firmware, And Information Integrity Family: System and Information Integrity Source: NIST 800-53r4
Control: The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].
Supplemental Guidance:
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g.,tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.

Related Controls: SA-12, SC-8, SC-13, SI-3
Control Enhancements:
(1) Software, Firmware, And Information Integrity | Integrity Checks
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].
Supplemental Guidance: Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort.
Related Controls: N/A

(2) Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations
The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.
Supplemental Guidance: The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers.
Related Controls: N/A

(5) Software, Firmware, And Information Integrity | Automated Response To Integrity Violations
The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered.
Supplemental Guidance: Organizations may define different integrity checking and anomaly responses: (i) by type of information (e.g.,firmware, software, user data); (ii) by specific information (e.g., boot firmware, boot firmware for a specific types of machines); or (iii) a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, or triggering audit alerts when unauthorized modifications to critical security files occur.
Related Controls: N/A

(7) Software, Firmware, And Information Integrity | Integration Of Detection And Response
The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability.
Supplemental Guidance: This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.
Related Controls: IR-4, IR-5, SI-4

(9) Software, Firmware, And Information Integrity | Verify Boot Process
The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].
Supplemental Guidance: Ensuring the integrity of boot processes is critical to starting devices in known/trustworthy states. Integrity verification mechanisms provide organizational personnel with assurance that only trusted code is executed during boot processes.
Related Controls: N/A

(10) Software, Firmware, And Information Integrity | Protection Of Boot Firmware
The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices].
Supplemental Guidance: Unauthorized modifications to boot firmware may be indicative of a sophisticated, targeted cyber-attack. These types of cyber-attacks can result in a permanent denial of service (e.g., if the firmware is corrupted) or a persistent malicious code presence (e.g., if code is embedded within the firmware). Devices can protect the integrity of the boot firmware in organizational information systems by: (i) verifying the integrity and authenticity of all updates to the boot firmware prior to applying changes to the boot devices; and (ii) preventing unauthorized processes from modifying the boot firmware.
Related Controls: N/A

(14) Software, Firmware, And Information Integrity | Binary Or Machine Executable Code
The organization:
  1. Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and
  2. Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.

Supplemental Guidance: This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations.
Related Controls: SA-5
References: NIST Special Publications 800-147, 800-155.
Mechanisms:

  • The device shall support integrity checks on software, hardare, and information under certain conditions.
  • The device shall protect the list of what is checked and under what circumstances from unauthorized modification per IA-2.
  • The device shall support the integrity checks specified in NIST SP 800-147 section 3.1.2.
  • The integrity checks supported by the device shall be hardware-based, i.e., they shall use cryptographic information stored in hardware such as a cryptographically secure hash value or a public key to be used for verification.
  • Approved mechanisms for satisfying secure boot process in enhancements 9 and 10.
  • Approved mechanisms specific to dealing with integration of detection and response are specified in IR-4, IR-5.
  • The device shall either shutdown or restart on detection of an integrity violation. Different violations may result in different responses (i.e., a device may support restart and shutdown and use them in different circumstances)
  • The device shall notify the device operator of integrity violations. For a vehicle device, this requires notification of the vehicle operator. For roadside equipment, this requires notification of the operator of that equipment.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
SI-7/1 Supports integrity checks on software, hardware and information under certain conditions. M
SI-7/2 Protects the list of what is checked and under what circumstances from unauthorized modification M IA-2
SI-7/3 Supports the integrity checks specified in NIST SP 800-147 section 3.1.2. M
SI-7/4 Integrity checks are hardware-based M
SI-7/5 Verifies boot process M Document mechanisms
SI-7/6 Protects boot firmware M Document mechanisms
SI-7/7.1 Integrity violation response: restart O1
SI-7/7.2 Integrity violation response: shutdown O1
SI-7/7.3 Integrity violation notification M Describe notification mechanisms