Under active development Content is continuously updated and improved

SI-7(1)Software, Firmware, and Information Integrity | Integrity Checks

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Perform an integrity check of organization-defined software, firmware, and information [Selection (one or more): at startup; at organization-defined transitional states or security-relevant events; organization-defined frequency].

>DoD Impact Level Requirements

FedRAMP Parameter Values

SI-7 (1)-2 [selection to include security relevant events] SI-7 (1)-3 [at least monthly]

>Discussion

Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.

>Programmatic Queries

Beta

Related Services

AWS CodeSign
AWS KMS
Amazon EC2 Systems Manager

CLI Commands

Sign code for integrity verification
aws signer sign-payload --profile-name MySigningProfile --payload-format JSON --payload file://code.json --region us-east-1
Verify signature of deployed artifacts
aws signer describe-signing-job --job-id signing-job-id --region us-east-1
Get image hash for integrity validation
aws ec2 describe-images --image-ids ami-0123456789abcdef0 --query 'Images[0].RootDeviceType'
Check S3 object integrity using ETag
aws s3api head-object --bucket my-bucket --key my-file.zip

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies and procedures govern integrity checks?
  • Who is responsible for monitoring system and information integrity?
  • How frequently are integrity monitoring processes reviewed and updated?

Technical Implementation:

  • What technical controls detect and respond to integrity checks issues?
  • How are integrity violations identified and reported?
  • What automated tools support system and information integrity monitoring?

Evidence & Documentation:

  • Can you provide recent integrity monitoring reports or alerts?
  • What logs demonstrate that SI-7(1) is actively implemented?
  • Where is evidence of integrity monitoring maintained and for how long?

Ask AI

Configure your API key to use AI features.