BIOS Protection Guidelines - Recommendations of the National Institute of Standards and Technology
BIOS PROTECTION GUIDELINES
1.3 Audience
The intended audience for this document includes BIOS and platform vendors, and information system
security professionals who are responsible for managing the endpoint platforms’ security, secure boot
processes, and hardware security modules. The material may also be of use when developing enterprise-
wide procurement strategies and deployment.
The material in this document is technically oriented, and it is assumed that readers have at least a basic
understanding of system and network security. The document provides background information to help
such readers understand the topics that are discussed. Readers are encouraged to take advantage of other
resources (including those listed in this document) for more detailed information.
1.4 Document Structure
The remainder of this document is organized into the following major sections:
Section 2 presents an overview of the BIOS and its role in the boot process, and identifies potential
attacks against the BIOS in an operational environment.
Section 3 examines how selected threats to the BIOS can be mitigated. Section 3.1 describes security
controls for BIOS implementations that are required or recommended to mitigate these threats.
Section 3.2 defines processes that leverage these controls to implement a secure BIOS update process
within an enterprise as part of the platform management life cycle.
The document also contains appendices with supporting material:
Appendix A contains a summary of the security guidelines for system BIOS implementations.
Appendix B defines terms used in this document.
Appendix C contains a list of acronyms and abbreviations used in this document.
Appendix D contains a list of references used in the development of this document.
1-2