← Controls / CM

CM-14 Signed Components

Configuration Management

New in Rev 5

Description

Prevent the installation of [Assignment: organization-defined parameters] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Supplemental Guidance

Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.

Changes from Rev 4

New control in Rev 5.

Compliance Mappings

ISO 27001:2022

A.8.19A.8.9

ISO 27002:2022

8.198.9

COBIT 2019

BAI06BAI10DSS05

CIS Controls v8

CIS 2CIS 2.6

NIST CSF 2.0

PR.PS-05

PCI DSS v4.0.1

11.511.66.2

FINOS CCC

CCC-C07

ISO 42001:2023

A.7.5

IEC 62443

3-3 SR 3.13-3 SR 3.4

NIS2 Directive

Art. 21(2)(e)

MAS TRM

6

ASD Essential Eight

E8-1E8-1 ML3E8-3 ML3

BSI IT-Grundschutz

NET.3.1OPS.1.1.3SYS.1.1

ANSSI

Hygiene.18Hygiene.20Hygiene.33Hygiene.34SecNumCloud.13.1SecNumCloud.13.2SecNumCloud.15.4

FINMA Circular 2023/1

IV.A(36)IV.A(37)IV.A(39)IV.C(64)V(109)V(110)

OSFI B-13

B-13.2.2B-13.2.3

EU DORA

Art.9(4)(e)

BIO2

8.198.9

RBI CSF

Annex1.2Annex1.6

FISC Security Guidelines

FISC.O3FISC.T6

HKMA TM-E-1

TME1.3.2TME1.4.1TME1.4.3

SAMA CSF

3.23.5

NCA ECC

2-3

UAE IA

T10T7

CBB TM

TM-7

Qatar NIA

OSSD

CBUAE

CR-6

CBE CSF

CTO-4

SA JS2

JS2-SA

BoG CISD

CISD-SDLC

BoM CTRM

3.113.6

IOSCO Cyber Resilience

PROT-6

FFIEC IS

II.C.17

ECB CROE

CROE.2.3.4

EBA ICT Guidelines

3.6.3

SEBI CSCRF

PR.ESPR.IP

BOT Cyber Resilience

Ch2.1

CMMC 2.0

CM

NERC CIP

CIP-013-2

10 CFR 73.54

RG5.71-A-SIRG5.71-C-SR

IEEE 1686-2022

5.3

FERC CIP Orders

Order 829

API 1164

Sec 7

IAEA NSS 17-T

Sec 5.4

PCI PTS v6

BF

FIPS 140-3

FIPS 140-3 §7.5

Common Criteria

CC Part 2 — FCSCC Part 2 — FPT

Solvency II

EIOPA-ICT-4.11EIOPA-ICT-4.8

Lloyd's Minimum Standards

MS8.4

FCA SYSC 13

SYSC 13.7.4

OWASP MASVS v2.1

MASVS-RESILIENCE-1MASVS-RESILIENCE-2

BSSC Standards

NOS-02