>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CM-14Signed Components

IL4 High
IL5
IL6

>Control Description

Prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

>DoD Impact Level Requirements

Additional Requirements and Guidance

CM-14 Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

>Discussion

Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.

>Related Controls

CM-7
SC-12
SC-13
SI-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-14 (Signed Components)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-14?
  • How frequently is the CM-14 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-14?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-14 requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-14?
  • How is CM-14 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-14 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-14?
  • What audit logs, records, reports, or monitoring data validate CM-14 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-14 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-14 compliance?

Ask AI

Configure your API key to use AI features.