>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PS.2.1Make software integrity verification information available to software acquirers.

PS.2

>Control Description

Make software integrity verification information available to software acquirers.

>Practice: PS.2

Provide a Mechanism for Verifying Software Release Integrity

Help software acquirers ensure that the software they acquire is legitimate and has not been tampered with.

>Notional Implementation Examples

  1. 1.Post cryptographic hashes for release files on a well-secured website.
  2. 2.Use an established certificate authority for code signing so that consumers’ operating systems or other tools and services can confirm the validity of signatures before use.
  3. 3.Periodically review the code signing processes, including certificate renewal, rotation, revocation, and protection.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

SM.4
SM.5
SM.6

BSIMM

SE2.4

CNCF SSCP

Securing Deployments—Verification

EO 14028

4e(iii)
4e(ix)
4e(x)

IEC 62443

SM-6
SM-8
SUM-4

NIST CSF

PR.DS-6

NIST Labels

2.2.2.4

OWASP SAMM

OE3-B

OWASP SCVS

4

PCI SSLC

6.1
6.2

SAFECode SIC

Vendor Software Delivery Integrity Controls

SP 800-53

SA-8

SP 800-161

SA-8

SP 800-181 (NICE)

K0178

Ask AI

Configure your API key to use AI features.