NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-14Signed Components

Prevent the installation of {{ insert: param, cm-14_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.

Practitioner Notes

This control requires that system components use digitally signed code to verify integrity and authenticity — ensuring software has not been tampered with since it was produced.

Example 1: Require all vendor software to include valid code signing certificates and verify signatures before deploying updates to production systems.

Example 2: Sign all internally developed PowerShell scripts and configure your execution policy to AllSigned, preventing execution of unsigned or tampered scripts.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency