NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-7(10)Protection of Boot Firmware

Implement the following mechanisms to protect the integrity of boot firmware in {{ insert: param, si-07.10_odp.02 }}: {{ insert: param, si-07.10_odp.01 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Unauthorized modifications to boot firmware may indicate a sophisticated, targeted attack. These types of targeted attacks can result in a permanent denial of service or a persistent malicious code presence. These situations can occur if the firmware is corrupted or if the malicious code is embedded within the firmware. System components can protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of all updates to the firmware prior to applying changes to the system component and preventing unauthorized processes from modifying the boot firmware.

Practitioner Notes

Protect boot firmware from unauthorized modification — firmware-level malware persists across OS reinstallations and is extremely difficult to detect.

Example 1: Enable the BIOS/UEFI write-protection feature on your systems. Most enterprise systems have a BIOS setting that prevents firmware updates without physical presence or an administrator password.

Example 2: Deploy systems with Intel Boot Guard enabled in the firmware. Boot Guard creates a hardware root of trust that verifies firmware integrity before any code executes. Even with physical access, an attacker cannot install a malicious firmware without the manufacturer's signing key.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status