SI-7 (14)     Software, Firmware, And Information Integrity | Binary Or Machine Executable Code 

The organization:
     SI-7 (14)(a):  Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and
     SI-7 (14)(b):  Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.

                    
                

            


        

    


    

        

        

            

                
Applicable CNSSI 1253 Baselines

            

        


        

            


                


                    

                        

                            

                                
Confidentiality

                            

                        

                        

                            

                                
    
                                    
  • 
                                        
                                        L
                                        
                                    
    • 
                                    
  • 
                                        
                                        M
                                        
                                    
    • 
                                    
  • 
                                        
                                        H
                                        
                                    
    • 
                                

                            

                            
                        

                    


                    

                        

                            

                                
Integrity

                            

                        

                        

                            

                                
    
                                    
  • 
                                        
                                        L
                                        
                                    
    • 
                                    
  • 
                                        
                                        M
                                        
                                    
    • 
                                    
  • 
                                        
                                        H
                                        
                                    
    • 
                                

                            

                            
                        

                    


                    

                        

                            

                                
Availability

                            

                        

                        

                            

                                
    
                                    
  • 
                                        
                                        L
                                        
                                    
    • 
                                    
  • 
                                        
                                        M
                                        
                                    
    • 
                                    
  • 
                                        
                                        H
                                        
                                    
    • 
                                

                            

                            
                        

                    


                


            


        


        
        

        

            

                
Supplemental Guidance

            

        

        

            

                
This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations.

            

        

        

        
        

        

            

                
Related Controls