SC-34—Non-Modifiable Executable Programs
>Control Description
>Control Enhancements(3)
>Cross-Framework Mappings
>Supplemental Guidance
The operating environment for a system contains the code that hosts applications, including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can also include certain applications that run directly on hardware platforms. Hardware-enforced, read-only media include Compact Disc-Recordable (CD-R) and Digital Versatile Disc-Recordable (DVD-R) disk drives as well as one-time, programmable, read-only memory.
The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable, read-only memory can be accepted as read-only media provided that integrity can be adequately protected from the point of initial writing to the insertion of the memory into the system, and there are reliable hardware protections against reprogramming the memory while installed in organizational systems.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of non-modifiable executable programs?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-34?
Technical Implementation:
- •How is non-modifiable executable programs technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that non-modifiable executable programs remains effective as the system evolves?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-34?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
Ask AI
Configure your API key to use AI features.