UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network device must prevent the installation of organizationally defined critical software programs not signed with an organizationally approved private key.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000121-NDM-000079 SRG-NET-000121-NDM-000079 SRG-NET-000121-NDM-000079_rule Low
Description
Changes to any software components of the network device can have significant effects on the overall security of the network. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Software must be obtained from a trusted patch server not from the vendor. The network device should not have to verify the software again. Self-signed certificates are disallowed by this control. This control does not mandate DoD certificates for this purpose, however, the certificate used to verify the software must be from an approved source.
STIG Date
Network Device Management Security Requirements Guide 2013-07-30

Details

Check Text ( C-SRG-NET-000121-NDM-000079_chk )
Verify applications and updates installed on the network device are obtained from an organizationally approved centralized patch server.
Verify the network device is configured to prevent the installation of software updates or applications which are not signed by an organizationally approved private key.

If the network device does not prevent the installation of organizationally defined critical applications and updates not digitally signed with an organizationally approved private key, this is a finding.
Fix Text (F-SRG-NET-000121-NDM-000079_fix)
Obtain software updates from an approved trusted patch server.
Configure the network device components to check for digital signature prior to allowing installation of critical software programs.
Allow only organizationally approved digital signatures.