SI-07-727 Software, Firmware, and Information Integrity

Software, Firmware, and Information Integrity

Control ID

SI-07-727

Control Name

Software, Firmware, and Information Integrity

Control Category

System and Information Integrity

Functional Areas

Identify

Sub-Areas

Privacy and Confidentiality

NIST Baseline Level(s)

MOD, HIGH

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

Unauthorized tampering of system and/or configuration files is undetected due to the absence of file integrity mechanisms.

Control Description

The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

Control Example

Software firmware allows for the scanning of information integrity.

State Implementation

No statewide control

Testing Procedures

Obtain system and information integrity policy; procedures addressing software and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and applications documentation; security plan; records of integrity scans; other relevant documents or records and ascertain if : (I)the information system detects and protects against unauthorized changes to software and information. (ii)the organization employs commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) in accordance with good software engineering practices and uses tools to automatically monitor the integrity of the information system and the applications it hosts. (iii)the organization defines in the security plan, explicitly or by reference, the frequency of integrity scans on the information system; and (iv)the organization reassesses the integrity of software and information by performing integrity scans of the information system in accordance with the organization-defined frequency.