800-53|CM-5(3)

Title

SIGNED COMPONENTS

Description

The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Supplemental

Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: CM-7,SC-13,SI-7

Category: CONFIGURATION MANAGEMENT

Parent Title: ACCESS RESTRICTIONS FOR CHANGE

Family: CONFIGURATION MANAGEMENT

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1.2.1.11 Set 'Devices: Unsigned driver installation behavior' to 'Warn but allow installation'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.2.1.11 Set 'Devices: Unsigned driver installation behavior' to 'Warn but allow installation'	Windows	CIS Windows 2003 MS v3.1.0
1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.6 Ensure software packages have been digitally signed by a Certificate Authority (CA) - CA that is recognized and approved by the organization.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 10 v1.1.0
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 11 v1.0.0
5.5 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 9 v1.0.0
6.1.1 Audit system file permissions	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v84 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v88 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v89 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v90 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v85 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v86 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v87 v1.0.0
Allow certificates signed using SHA-1 when issued by local trust anchors (deprecated)	Windows	MSCT Edge v91 v1.0.0
Allow software to run or install even if the signature is invalid	Windows	MSCT Windows 10 v1703 v1.0.0
Allow software to run or install even if the signature is invalid	Windows	MSCT Windows 10 v1511 v1.0.0
Allow software to run or install even if the signature is invalid	Windows	MSCT Windows 10 1607 v1.0.0
Allow software to run or install even if the signature is invalid	Windows	MSCT Windows 10 v1709 v1.0.0
AOSX-13-000430 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - AllowIdentifiedDevelopers	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - EnableAssessment	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000710 - The macOS system must allow only applications that have a valid digital signature to run - SPApplicationsDataType	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple Mac OSX 10.14 v2r4
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple Mac OSX 10.14 v2r5
AOSX-14-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple Mac OSX 10.14 v2r1
AOSX-15-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-12-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple macOS 12 v1r8
APPL-13-002064 - The macOS system must have the security assessment policy subsystem enabled.	Unix	DISA STIG Apple macOS 13 v1r4
APPL-14-002060 - The macOS system must apply gatekeeper settings to block applications from unidentified developers.	Unix	DISA Apple macOS 14 (Sonoma) STIG v1r2
APPL-14-002064 - The macOS system must enable Gatekeeper.	Unix	DISA Apple macOS 14 (Sonoma) STIG v1r2
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r3 Middleware
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r7
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r7 Middleware
AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r3
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Enable Gatekeeper	Unix	NIST macOS Big Sur v1.4.0 - CNSSI 1253
Catalina - Enable Gatekeeper	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High

Detections

Analytics