Validating the Integrity of Computing Devices

Boyens, Jon; Diamond, Tyler; Grayson, Nakia; Paulsen, Celia; Polk, W.; Regenscheid, Andrew; Souppaya, Murugiah; Brown, Christopher; Deane, Chelsea; Scarfone, Karen

NIST SP 1800-34 (Initial Public Draft)

Obsoleted on December 09, 2022 by SP 1800-34

Validating the Integrity of Computing Devices

Date Published: June 23, 2022
Comments Due: August 8, 2022 (public comment period is CLOSED)
Email Questions to: supplychain-nccoe@nist.gov

Planning Note (07/20/2022): The comment period has been extended to August 8, 2022 (originally July 25th).

Author(s)

Jon Boyens (NIST), Tyler Diamond (NIST), Nakia Grayson (NIST), Celia Paulsen (NIST), W. Polk (NIST), Andrew Regenscheid (NIST), Murugiah Souppaya (NIST), Christopher Brown (MITRE), Chelsea Deane (MITRE), Karen Scarfone (Scarfone Cybersecurity)

Announcement

What Is This Guide About?

Technologies today rely on complex, globally distributed and interconnected supply chain ecosystems to provide reusable solutions. Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Managing cyber supply chain risks requires, in part, ensuring the integrity, quality, and resilience of the supply chain and its products and services. This project demonstrates how organizations can verify that the internal components of their computing devices are genuine and have not been altered during the manufacturing or distribution processes.

Share Your Expertise

Please download the document and share your expertise with us to strengthen the draft practice guide. The public comment period for this draft is now open and will close on July 25^th, 2022. You can stay up to date on this project by sending an email to supplychain-nccoe@nist.gov to join our Community of Interest. Also, if you have any project ideas for our team, please let us know by sending an email to the email address above. We look forward to your feedback.

Additional NIST Supply Chain Work

NIST is also working on an important effort, the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) with the private sector and others in government to improve cybersecurity in supply chains. This initiative will help organizations to build, evaluate, and assess the cybersecurity of products and services in their supply chains, an area of increasing concern. For more information on this effort, you can click here.

Abstract

Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Cyber supply chain risks include counterfeiting, unauthorized production, tampering, theft, and insertion of unexpected software and hardware. Managing these risks requires ensuring the integrity of the cyber supply chain and its products and services. This project will demonstrate how organizations can verify that the internal components of the computing devices they acquire, whether laptops or servers, are genuine and have not been tampered with. This solution relies on device vendors storing information within each device, and organizations using a combination of commercial off-the-shelf and open-source tools that work together to validate the stored information. This NIST Cybersecurity Practice Guide provides a draft describing the work performed so far to build and test the full solution.

Keywords

computing devices; cyber supply chain; cyber supply chain risk management (C-SCRM); hardware root of trust; integrity; provenance; supply chain; tampering

Control Families

Configuration Management; System and Information Integrity

Documentation

Publication:
NIST SP 1800-34 ipd (pdf)

Supplemental Material:
Project homepage

Document History:
11/22/21: SP 1800-34 (Draft)
06/23/22: SP 1800-34 (Draft)
12/09/22: SP 1800-34 (Final)

Topics

Security and Privacy

asset management, configuration management, continuous monitoring, cybersecurity supply chain risk management, roots of trust, vulnerability management

Technologies

BIOS, personal computers, servers