Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-155 (Initial Public Draft)

BIOS Integrity Measurement Guidelines

Date Published: December 2011
Comments Due: January 20, 2012 (public comment period is CLOSED)
Email Questions to: 800-155comments@nist.gov

Author(s)

Andrew Regenscheid (NIST), Karen Scarfone (Scarfone Cybersecurity)

Announcement

NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization -either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.

Abstract

Keywords

integrity measurement; roots of trust  ; ; hardware; Basic Input/Output System (BIOS)
Control Families

Configuration Management; System and Information Integrity

Documentation

Publication:
Draft SP 800-155 (pdf)

Supplemental Material:
None available

Document History:
12/08/11: SP 800-155 (Draft)

Topics

Security and Privacy

maintenance, roots of trust, security measurement

Technologies

BIOS, personal computers

Applications

enterprise