Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-34(3)

non-modifiable executable programs  | hardware-based protection

assessment objective:

Determine if the organization:

sc-34(3)(a)

sc-34(3)(a)[1]

defines information system firmware components for which hardware-based, write-protection is to be employed;

sc-34(3)(a)[2]

employs hardware-based, write-protection for organization-defined information system firmware components;

sc-34(3)(b)

sc-34(3)(b)[1]

defines individuals authorized to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode; and

sc-34(3)(b)[2]

implements specific procedures for organization-defined authorized individuals to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.

potential assessment methods and objects:

Examine: [select from: System and communications protection policy; procedures addressing firmware modifications; information system design documentation; information system configuration settings and associated documentation; information system architecture; information system audit records; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; information system developers/integrators].

Test: [select from: Organizational processes for modifying firmware; automated mechanisms supporting and/or implementing hardware-based, write-protection for firmware].