| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SI-7(14) |
FedRAMP_High_R4_SI-7(14) |
FedRAMP High SI-7 (14) |
System And Information Integrity |
Binary Or Machine Executable Code |
Shared |
n/a |
The organization:
(a) Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and
(b) Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.
Supplemental Guidance: This control enhancement applies to all sources of binary or machine- executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations. Related control: SA-5. |
link |
1 |
| hipaa |
0672.10k3System.5-10.k |
hipaa-0672.10k3System.5-10.k |
0672.10k3System.5-10.k |
06 Configuration Management |
0672.10k3System.5-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The integrity of all virtual machine images is ensured at all times by (i) logging and raising an alert for any changes made to virtual machine images, and (ii) making available to the business owner(s) and/or customer(s) through electronic methods (e.g., portals or alerts) the results of a change or move and the subsequent validation of the image's integrity. |
|
12 |
| hipaa |
1206.09aa2System.23-09.aa |
hipaa-1206.09aa2System.23-09.aa |
1206.09aa2System.23-09.aa |
12 Audit Logging & Monitoring |
1206.09aa2System.23-09.aa 09.10 Monitoring |
Shared |
n/a |
Auditing is always available while the system is active and tracks key events, success/failed data access, system security configuration changes, privileged or utility use, any alarms raised, activation and de-activation of protection systems (e.g., A/V and IDS), activation and deactivation of identification and authentication mechanisms, and creation and deletion of system-level objects. |
|
6 |
| NIST_SP_800-53_R4 |
SI-7(14) |
NIST_SP_800-53_R4_SI-7(14) |
NIST SP 800-53 Rev. 4 SI-7 (14) |
System And Information Integrity |
Binary Or Machine Executable Code |
Shared |
n/a |
The organization:
(a) Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and
(b) Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.
Supplemental Guidance: This control enhancement applies to all sources of binary or machine- executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations. Related control: SA-5. |
link |
1 |