Intel Desktop Board DG41MJ : BIOS Protection Guidelines - Recommendations of the National Institute of Standards and Technology : Page 19

BIOS PROTECTION GUIDELINES

In addition, a common configuration baseline for each platform must be created to conform to the

organization’s policy. The baseline should ensure that the integrity protection and non-bypassability

features are enabled (if they are configurable), and organization policies for password policy and device

boot order are enforced. Finally, the BIOS image information and associated baseline of settings for each

platform should be documented in the configuration management plan.

2

Platform Deployment Phase: The secure local update process should be used to provision the approved

BIOS for that platform from the golden master image, the corresponding RTU should be installed, and

BIOS-related configuration parameters established before computer systems are deployed. This will help

the organization maintain a consistent, known starting posture. The organization should periodically

perform assessments to confirm that the organization’s BIOS policies, processes, and procedures are

being followed properly.

Specifically, the procedures must ensure that the appropriate system BIOS is installed, the RTU contains

all required keys and no unauthorized keys, and the integrity protection and non-bypassability features are

enabled if they are configurable.

Operation and Maintenance Phase: This phase includes the operations and maintenance activities that

are important for maintaining BIOS security and reliability in the operational environment. System BIOS

updates should be performed using a change management process and the new approved version should

be documented in the configuration plan, noting the previous BIOS image has been superseded.

The BIOS image and configuration baseline should be continuously monitored. If an unapproved

deviation from this baseline is detected, the event should be investigated, documented, and remediated as

part of incident response activities. The incident response plan should document the process and set of

authorized tools that can be used to capture the evidence to help determine the root cause.

3

The secure

local update mechanism should be used to recover from a BIOS image compromise.

When a new BIOS image is required to extend system capabilities, improve system reliability, or

remediate software vulnerabilities, BIOS updates should be performed using the authenticated update

process. Where the organization participates actively in the update process, the multi-party control

process must be executed to retrieve the private key from secure storage and generate the digital

signature. The BIOS installation package should also be signed, and the digital signature should be

verified before execution. Once the update has executed successfully, the configuration baseline should

be validated to confirm that the computer system is still in compliance with the organization’s defined

policy.

Recovery Phase: In some circumstances, a BIOS update will be required that cannot be accomplished

using the authenticated update process. For example, a corrupted system BIOS or RTU may be unable to

execute or invoke the authentication procedures. In this case, the appropriate system BIOS and/or RTU

may be able to be installed using the secure local update process. In other cases, a BIOS update may

have unintended consequences, forcing the organization to roll back to an earlier version. Extra steps

may be required for an authenticated update to authorize rollback (if versioning or timestamps are

compared during the standard authentication process), or the secure local update process may be required

to reestablish a secure baseline. As with the Operations and Maintenance phase, it is essential to validate

2

See Draft NIST SP 800-128, Guide for Security Configuration Management of Information Systems [SP800-128] for guidelines

on developing a configuration management plan.

3

For additional information on establishing incident response capabilities and handling incidents efficiently and effectively, see

NIST SP 800-61rev1 Computer Security Incident Handling Guide [SP800-61].