>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SI-7Software, Firmware, and Information Integrity

Moderate
High

>Control Description

a

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: organization-defined software, firmware, and information; and

b

Take the following actions when unauthorized changes to the software, firmware, and information are detected: organization-defined actions.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS).

Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms--including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools--can automatically monitor the integrity of systems and hosted applications.

>Cross-Framework Mappings

SCF

END-06
Compare

>Programmatic Queries

Beta

Related Services

AWS Config
CloudTrail Log Integrity
SSM

CLI Commands

Check CloudTrail log validation
aws cloudtrail describe-trails --query 'trailList[*].{Name:Name,LogValidation:LogFileValidationEnabled}'
Validate CloudTrail digest
aws cloudtrail validate-logs --trail-arn ARN --start-time START --end-time END
Check AMI integrity
aws ec2 describe-images --owners self --query 'Images[*].{Id:ImageId,State:State,Created:CreationDate}'
List SSM file integrity checks
aws ssm list-compliance-items --resource-types ManagedInstance --filters 'Key=ComplianceType,Values=Custom:FileIntegrity'
Open AWS ConsoleDocumentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

GitHub ActionsSnyk

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies and procedures govern software, firmware, and information integrity?
  • Who is responsible for monitoring system and information integrity?
  • How frequently are integrity monitoring processes reviewed and updated?

Technical Implementation:

  • What technical controls detect and respond to software, firmware, and information integrity issues?
  • How are integrity violations identified and reported?
  • What automated tools support system and information integrity monitoring?
  • What anti-malware solutions are deployed and how are they configured?
  • What systems and events are monitored for integrity violations?

Evidence & Documentation:

  • Can you provide recent integrity monitoring reports or alerts?
  • What logs demonstrate that SI-7 is actively implemented?
  • Where is evidence of integrity monitoring maintained and for how long?
  • Can you show recent malware detection reports and response actions?
  • Can you provide examples of integrity monitoring alerts and responses?

Ask AI

Configure your API key to use AI features.