NIST SP 800-147 & -155 BIOS Protection Guidelines & BIOS Integrity Measurement: Recommendations

Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS's unique and privileged position within the PC architecture. A malicious BIOS modification could be part of a sophisticated, targeted attack on an organization-either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The move from conventional BIOS implementations to implementations based on the Unified Extensible Firmware Interface (UEFI) may make it easier for malware to target the BIOS in a widespread fashion, as these BIOS implementations are based on a common specification.

800-147 focuses on current and future x86 and x64 desktop and laptop systems, although the controls and procedures could potentially apply to any system design. Likewise, although the guide is oriented toward enterprise-class platforms, the necessary technologies are expected to migrate to consumer-grade systems over time. The security guidelines do not attempt to prevent installation of unauthentic BIOSs through the supply chain, by physical replacement of the BIOS chip, or through secure local update procedures. 800-155 Focuses on two scenarios: detecting changes to the system BIOS code stored on the system flash, and detecting changes to the system BIOS configuration. The document is intended for hardware and software vendors that develop products that can support secure BIOS integrity measurement mechanisms, and may also be of use for organizations developing enterprise procurement or deployment strategies for these technologies.

Why buy a book you can download for free?

First you gotta find it and make sure it's the latest version, not always easy. Then you gotta print it using a network printer you share with 100 other people - and its outta paper - and the toner is low (take out the toner cartridge, shake it, then put it back). If it's just 10 pages, no problem, but if it's a 250-page book, you will need to punch 3 holes in all those pages and put it in a 3-ring binder. Takes at least an hour. An engineer that's paid $75 an hour has to do this himself (who has assistant's anymore?).

If you are paid more than $10 an hour and use an ink jet printer, buying this book will save you money.

It's much more cost-effective to just order the latest version from Amazon.com

This public domain material is published by 4th Watch Books. We publish tightly-bound, full-size books at 8 1/2 by 11 inches, with glossy covers. 4th Watch Books is a Service Disabled Veteran Owned Small Business (SDVOSB) and is not affiliated with the National Institute of Standards and Technology.

For more titles published by 4th Watch, please visit: cybah.webplus.net

A full copy of all the pertinent cybersecurity standards is available on DVD-ROM in the CyberSecurity Standards Library disc which is available at Amazon.com.

GSA P-100 Facilities Standards for the Public Buildings Service

GSA P-120 Cost and Schedule Management Policy Requirements

GSA P-140 Child Care Center Design Guide

GSA Standard Level Features and Finishes for U.S. Courts Facilities

GSA Courtroom Technology Manual

NIST SP 500-299 NIST Cloud Computing Security Reference Architecture

NIST SP 500-291 NIST Cloud Computing Standards Roadmap Version 2

NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume 1 & 2

NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume 3 DRAFT

NIST SP 1800-8 Securing Wireless Infusion Pumps

NISTIR 7497 Security Architecture Design Process for Health Information Exchanges (HIEs)

NIST SP 800-66 Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

NIST SP 1800-1 Securing Electronic Health Records on Mobile Devices