NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-10(1)Software and Firmware Integrity Verification

Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Software and firmware integrity verification allows organizations to detect unauthorized changes to software and firmware components using developer-provided tools, techniques, and mechanisms. The integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components.

Practitioner Notes

Verify the integrity of software and firmware to ensure it has not been tampered with during development, distribution, or installation.

Example 1: Implement code signing for all internally developed software. Sign release builds with your organization's code signing certificate so that any tampering after signing is detectable. Configure your endpoints to only run signed code through Windows Defender Application Control or AppLocker.

Example 2: When downloading software from vendors, verify the file hash or digital signature against the vendor's published values before installing. Automate this in your deployment pipeline: the script downloads the software, verifies the hash, and only proceeds with installation if the hash matches.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment