NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-34 — Non-modifiable Executable Programs
For {{ insert: param, sc-34_odp.01 }} , load and execute: The operating environment from hardware-enforced, read-only media; and The following applications from hardware-enforced, read-only media: {{ insert: param, sc-34_odp.02 }}.
Supplemental Guidance
The operating environment for a system contains the code that hosts applications, including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can also include certain applications that run directly on hardware platforms. Hardware-enforced, read-only media include Compact Disc-Recordable (CD-R) and Digital Versatile Disc-Recordable (DVD-R) disk drives as well as one-time, programmable, read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable, read-only memory can be accepted as read-only media provided that integrity can be adequately protected from the point of initial writing to the insertion of the memory into the system, and there are reliable hardware protections against reprogramming the memory while installed in organizational systems.
Practitioner Notes
Use non-modifiable executable programs — boot from read-only media or write-protected storage so attackers cannot permanently alter your system software.
Example 1: Boot thin clients from a read-only image stored on the network or in firmware. Even if malware executes during a session, a reboot restores the clean, unmodified image. The malware cannot persist.
Example 2: Use UEFI Secure Boot to verify the integrity of boot components before execution. The firmware checks digital signatures on the bootloader and kernel — unsigned or modified code is rejected before it can run.