CM.5.074 Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures).

CMMC Practice CM.5.074: Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures).

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

Systems that perform a critical security function or processing of highly valued CUI data may contain a Trusted Platform Module (TPM) version 1.2 or higher chip. The organization will configure the systems the organization has identified to use a secure boot process (i.e., verify the signature of the OS loader and all kernel objects match expected values) and key applications are authenticated before running them. These procedures ensure the integrity of the security critical software.