AU-10(5) — Digital Signatures

Use digital signatures to provide non-repudiation. Digital signatures provide the strongest form of proof that a specific person performed a specific action.

Example 1: Deploy a PKI infrastructure (Active Directory Certificate Services or a commercial CA) and issue signing certificates to key personnel. Configure email clients to sign all outgoing correspondence with S/MIME certificates. Recipients can verify the sender's identity by checking the certificate chain.

Example 2: For code and script signing, require developers to sign all PowerShell scripts and executables with their code signing certificate. Set the PowerShell execution policy to AllSigned via GPO so that only signed scripts can execute. Unsigned or tampered scripts are blocked.