SI-7 - Software, Firmware, and Information Integrity
Control requirements
- SI-7 - 0
- The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].
Implementation guidance
See the resources that follow to learn more about how to implement this control.
IBM Cloud for Financial Services profile
The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.
- Check whether DevSecOps Toolchain verifies source code branch protection rules to enforce security policies
- Check whether DevSecOps Toolchain collects software bills of materials (SBOM) to provide transparency in build artifacts
- Check whether DevSecOps Toolchain signs build artifacts to attest their provenance
- Check whether DevSecOps Toolchain deployment has approved change documentation including security impact analysis
NIST supplemental guidance
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.