Validating the Integrity of Computing Devices

Diamond, Tyler; Grayson, Nakia; Polk, W.; Regenscheid, Andrew; Souppaya, Murugiah; Brown, Christopher; Deane, Chelsea; Scarfone, Karen

July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to csrc-inquiry@nist.gov.

NIST SP 1800-34 (Initial Preliminary Draft)

Obsoleted on June 23, 2022 by SP 1800-34 (Initial Public Draft)

Validating the Integrity of Computing Devices

Documentation Topics

Date Published: November 22, 2021
Comments Due: January 17, 2022 (public comment period is CLOSED)
Email Questions to: supplychain-nccoe@nist.gov

Planning Note (11/22/2021): The Comment period for Volume C: How-To Guides, is open through 1/17/22. This preliminary draft is stable but has some gaps in its content that will be addressed in the next draft.

Author(s)

Tyler Diamond (NIST), Nakia Grayson (NIST), W. Polk (NIST), Andrew Regenscheid (NIST), Murugiah Souppaya (NIST), Christopher Brown (MITRE), Chelsea Deane (MITRE), Karen Scarfone (Scarfone Cybersecurity)

Announcement

This preliminary draft of Volume C of SP 1800-34, Validating the Integrity of Computing Devices, includes specific product installation, configuration, and integration instructions for building the example implementation. By releasing each volume of the practice guide as a preliminary draft, we can share the progress made to date and use the feedback received to shape other volumes of the practice guide.

Ensuring the Integrity of the Cyber Supply Chain

Technologies today rely on complex, globally distributed and interconnected supply chain ecosystems to provide reusable solutions. Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Cyber supply chain risks include counterfeiting, unauthorized production, tampering, theft, and insertion of unexpected software and hardware. Managing these risks requires ensuring the integrity of the cyber supply chain and its products and services. This practice guide can benefit organizations who want to verify that the internal components of their computing devices are genuine and have not been altered during the manufacturing and distribution process.

Share Your Expertise

Please visit our webpage and scroll to the status section to download the document and share your expertise with us to strengthen the Volume C preliminary draft. The public comment period for the Volume C preliminary draft is open through January 17, 2022. To receive news and updates about this project, please join the Supply Chain Assurance Community of Interest by sending an email to supplychain-nccoe@nist.gov.

Abstract

Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Cyber supply chain risks include counterfeiting, unauthorized production, tampering, theft, and insertion of unexpected software and hardware. Managing these risks requires ensuring the integrity of the cyber supply chain and its products and services. This project will demonstrate how organizations can verify that the internal components of the computing devices they acquire are genuine and have not been unexpectedly altered during manufacturing or distribution processes.

Keywords

cyber supply chain risk management; devices; integrity; validation

Control Families

Configuration Management; System and Information Integrity

Documentation

Publication:
SP 1800-34C (Prelim. Draft) and other volumes (pdf)

Supplemental Material:
Project homepage

Document History:
11/22/21: SP 1800-34 (Draft)
06/23/22: SP 1800-34 (Draft)
12/09/22: SP 1800-34 (Final)

Topics

Security and Privacy

asset management, configuration management, cybersecurity supply chain risk management, roots of trust, vulnerability management

Technologies

BIOS, personal computers, servers