Digitally signed firmware and provenance (supply chain)


Explanation: Developer and integrator affix a digital signature to software/firmware installed in a device.

Vulnerabilities addressed: Addresses software provenance, helping establish accountability for fielded software.

Developer resources required: Developer (or third party) needs a signing key, to protect that key, and to compute and store digital signatures for the protected components.

Evaluator resources required: Evaluator needs to assure the integrity of signing mechanisms and operational mechanisms for signature verification.