SA-10 (1) - Software / Firmware Integrity Verification
Control requirements
- SA-10 (1) - 0
- The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.
Implementation guidance
See the resources that follow to learn more about how to implement this control.
IBM Cloud for Financial Services profile
The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.
- Check whether Container Registry Vulnerability Advisor scans for critical or high vulnerabilities in the system at least every # day(s)
- Check whether DevSecOps Toolchain signs build artifacts to attest their provenance
NIST supplemental guidance
This control enhancement allows organizations to detect unauthorized changes to software and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. Integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components.