800-53|CM-5(3)

Title

SIGNED COMPONENTS

Description

The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Supplemental

Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.

Reference Item Details

Related: CM-7,SC-13,SI-7

Category: CONFIGURATION MANAGEMENT

Parent Title: ACCESS RESTRICTIONS FOR CHANGE

Family: CONFIGURATION MANAGEMENT

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.6 Ensure software packages have been digitally signed by a Certificate Authority (CA) - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 10 v1.1.0
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 11 v1.0.0
6.1.1 Audit system file permissionsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v84 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v86 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v85 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v91 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v88 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v89 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v90 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v87 v1.0.0
AOSX-13-000430 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - AllowIdentifiedDevelopersUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - EnableAssessmentUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - SPApplicationsDataTypeUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.15 v1r8
APPL-11-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple macOS 11 v1r6
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.UnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.UnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Catalina v1.5.0 - 800-171
Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified DevelopersUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Enable GatekeeperUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Enable GatekeeperUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enable GatekeeperUnixNIST macOS Catalina v1.5.0 - 800-53r5 High