NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY
SI-7 — Software, Firmware, and Information Integrity
Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}.
Supplemental Guidance
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications.
Practitioner Notes
Detect unauthorized changes to software, firmware, and data. If an attacker modifies a system file, replaces firmware, or alters database records, you need to know about it.
Example 1: Deploy a file integrity monitoring (FIM) tool like Tripwire, OSSEC, or the FIM capability built into Microsoft Defender for Endpoint. Monitor critical system files, configuration files, and executables. Any unauthorized change triggers an alert.
Example 2: Enable Windows Resource Protection and System File Checker (sfc /scannow) as part of your baseline security checks. These Windows built-in features detect when protected system files have been modified or replaced and can automatically restore the original versions.