|SC-34 (1) No Writable Storage || |
This control enhancement: (i) eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated information system components; and (ii) applies to both fixed and removable storage, with the latter being addressed directly or as specific restrictions imposed through access controls for mobile devices.
The organization employs Assignment: organization-defined information system components with no writeable storage that is persistent across component restart or power on/off.
|SC-34 (2) Integrity Protection / Read-Only Media || |
Security safeguards prevent the substitution of media into information systems or the reprogramming of programmable read-only media prior to installation into the systems. Security safeguards include, for example, a combination of prevention, detection, and response.
The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media.
|SC-34 (3) Hardware-Based Protection || |
The organization: SC-34 (3)(a)
Employs hardware-based, write-protect for Assignment: organization-defined information system firmware components; and SC-34 (3)(b)
Implements specific procedures for Assignment: organization-defined authorized individuals to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.