NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-5(3)Signed Components

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Practitioner Notes

This enhancement requires that software and firmware components be digitally signed to prevent tampering. Only signed, verified code should be allowed to run or be installed.

Example 1: Configure Windows Defender Application Control (WDAC) to require valid digital signatures on all executables before they are allowed to run.

Example 2: Verify GPG signatures on Linux packages before installation and configure your package manager (apt/yum) to reject unsigned packages.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency