800-53|CM-5(3)

Title

SIGNED COMPONENTS

Description

The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Supplemental

Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: CM-7,SC-13,SI-7

Category: CONFIGURATION MANAGEMENT

Parent Title: ACCESS RESTRICTIONS FOR CHANGE

Family: CONFIGURATION MANAGEMENT

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.6 Ensure software packages have been digitally signed by a Certificate Authority (CA) - CA that is recognized and approved by the organization.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 10 v1.1.0
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 11 v1.0.0
5.5 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 9 v1.0.0
6.1.1 Audit system file permissions	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v85 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v84 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v86 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v91 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v89 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v88 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v87 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v90 v1.0.0
AOSX-13-000430 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - AllowIdentifiedDevelopers	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - EnableAssessment	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - SPApplicationsDataType	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-12-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple macOS 12 v1r8
APPL-13-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple macOS 13 v1r3
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r6
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r6 Middleware
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Catalina - Enable Gatekeeper	Unix	NIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Enable Gatekeeper	Unix	NIST macOS Catalina v1.5.0 - 800-171
Catalina - Enable Gatekeeper	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Enable Gatekeeper	Unix	NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enable Gatekeeper	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Enable Gatekeeper	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enable Gatekeeper	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enable Gatekeeper	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Check for signatures on downloaded programs	Windows	MSCT Windows Server v1909 DC v1.0.0
Check for signatures on downloaded programs	Windows	MSCT Windows Server 2016 MS v1.0.0
Check for signatures on downloaded programs	Windows	MSCT Windows Server v1909 MS v1.0.0
Check for signatures on downloaded programs	Windows	MSCT Windows Server 2019 DC v1.0.0
Check for signatures on downloaded programs	Windows	MSCT Windows Server 2016 DC v1.0.0
Check for signatures on downloaded programs	Windows	MSCT Windows 10 1909 v1.0.0
Check for signatures on downloaded programs	Windows	MSCT Windows 10 v1507 v1.0.0
Check for signatures on downloaded programs	Windows	MSCT Windows 11 v22H2 v1.0.0

Detections

Analytics