NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-7(6)Cryptographic Protection

Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Cryptographic mechanisms used to protect integrity include digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions.

Practitioner Notes

Use cryptographic mechanisms — digital signatures, cryptographic hashes — to verify software and firmware integrity rather than relying on simple checksums.

Example 1: Verify GPG or Authenticode digital signatures on all software before installation. On Windows, check that executables are signed by the expected publisher. Use "Get-AuthenticodeSignature" in PowerShell to verify signatures programmatically.

Example 2: Before applying firmware updates to network devices, verify the firmware image's SHA-256 hash against the hash published on the vendor's secure download site. Never install firmware without hash verification.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status