800-53|CM-5(3)

Title

SIGNED COMPONENTS

Description

The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Supplemental

Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.

Reference Item Details

Related: CM-7,SC-13,SI-7

Category: CONFIGURATION MANAGEMENT

Parent Title: ACCESS RESTRICTIONS FOR CHANGE

Family: CONFIGURATION MANAGEMENT

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.2.1.11 Set 'Devices: Unsigned driver installation behavior' to 'Warn but allow installation'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.11 Set 'Devices: Unsigned driver installation behavior' to 'Warn but allow installation'WindowsCIS Windows 2003 MS v3.1.0
1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.6 Ensure software packages have been digitally signed by a Certificate Authority (CA) - CA that is recognized and approved by the organization.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 10 v1.1.0
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 11 v1.0.0
5.5 Set 'Check for signatures on downloaded programs' to 'Enabled'WindowsCIS IE 9 v1.0.0
6.1.1 Audit system file permissionsUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v84 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v88 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v89 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v90 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v85 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v86 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v87 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)WindowsMSCT Edge v91 v1.0.0
Allow software to run or install even if the signature is invalidWindowsMSCT Windows 10 v1703 v1.0.0
Allow software to run or install even if the signature is invalidWindowsMSCT Windows 10 v1511 v1.0.0
Allow software to run or install even if the signature is invalidWindowsMSCT Windows 10 1607 v1.0.0
Allow software to run or install even if the signature is invalidWindowsMSCT Windows 10 v1709 v1.0.0
AOSX-13-000430 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - AllowIdentifiedDevelopersUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - EnableAssessmentUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - SPApplicationsDataTypeUnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.14 v2r4
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.14 v2r5
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.14 v2r1
AOSX-15-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple macOS 11 v1r8
APPL-12-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple macOS 12 v1r9
APPL-13-002064 - The macOS system must have the security assessment policy subsystem enabled.UnixDISA STIG Apple macOS 13 v1r4
APPL-14-002060 - The macOS system must apply gatekeeper settings to block applications from unidentified developers.UnixDISA Apple macOS 14 (Sonoma) STIG v2r1
APPL-14-002064 - The macOS system must enable Gatekeeper.UnixDISA Apple macOS 14 (Sonoma) STIG v2r1
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.UnixDISA STIG Apache Server 2.4 Unix Server v2r3 Middleware
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.UnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.UnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.UnixDISA STIG Apache Server 2.4 Unix Server v3r1
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.UnixDISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.UnixDISA STIG Apache Server 2.4 Unix Server v2r3
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Enable GatekeeperUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Catalina - Enable GatekeeperUnixNIST macOS Catalina v1.5.0 - 800-53r5 High