SI-7(2)—Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations

IL4 High

IL5

IL6

>Control Description

Employ automated tools that provide notification to ⚙organization-defined personnel or roles upon discovering discrepancies during integrity verification.

>DoD Impact Level Requirements

FedRAMP Parameter Values

SI-7 (2) [to include the ISSO and/or similar role within the organization]

>Discussion

The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What policies and procedures govern automated notifications of integrity violations?
•Who is responsible for monitoring system and information integrity?
•How frequently are integrity monitoring processes reviewed and updated?

Technical Implementation:

•What technical controls detect and respond to automated notifications of integrity violations issues?
•How are integrity violations identified and reported?
•What automated tools support system and information integrity monitoring?

Evidence & Documentation:

•Can you provide recent integrity monitoring reports or alerts?
•What logs demonstrate that SI-7(2) is actively implemented?
•Where is evidence of integrity monitoring maintained and for how long?

Ask AI

Configure your API key to use AI features.