SI-7(15)—Software, Firmware, and Information Integrity | Code Authentication
IL4 High
IL5
IL6
>Control Description
Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: ⚙organization-defined software or firmware components.
>DoD Impact Level Requirements
FedRAMP Parameter Values
SI-7 (15) [to include all software and firmware inside the boundary]
>Discussion
Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies and procedures govern code authentication?
- •Who is responsible for monitoring system and information integrity?
- •How frequently are integrity monitoring processes reviewed and updated?
Technical Implementation:
- •What technical controls detect and respond to code authentication issues?
- •How are integrity violations identified and reported?
- •What automated tools support system and information integrity monitoring?
- •What anti-malware solutions are deployed and how are they configured?
Evidence & Documentation:
- •Can you provide recent integrity monitoring reports or alerts?
- •What logs demonstrate that SI-7(15) is actively implemented?
- •Where is evidence of integrity monitoring maintained and for how long?
- •Can you show recent malware detection reports and response actions?
Ask AI
Configure your API key to use AI features.