NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-51Hardware-based Protection

Employ hardware-based, write-protect for {{ insert: param, sc-51_odp.01 }} ; and Implement specific procedures for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

None.

Practitioner Notes

Hardware-based protection provides the strongest security guarantees because hardware mechanisms cannot be bypassed by software exploits alone.

Example 1: Use a Trusted Platform Module (TPM) 2.0 chip to anchor all platform integrity measurements. The TPM stores boot measurements in hardware registers (PCRs) that cannot be reset by software. BitLocker uses TPM measurements to prevent booting a tampered operating system.

Example 2: Deploy systems with Intel Boot Guard that verifies the firmware's digital signature in hardware before any code executes. Even if an attacker reflashes the BIOS with a malicious firmware, the hardware verification detects the change and prevents the system from booting.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability