STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-5 (3) — Access Restrictions for Change

CCI-001749

Definition

The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

Parent Control

CM-5 (3)Access Restrictions for ChangeConfiguration Management

Linked STIG Checks (112)

V-279038CAT IIBefore installing or upgrading ColdFusion, the integrity of the installation package must be manually verified.Adobe ColdFusion Security Technical Implementation Guide V-214238CAT IIExpansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-252514CAT IThe macOS system must have the security assessment policy subsystem enabled.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257220CAT IThe macOS system must have the security assessment policy subsystem enabled.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-222513CAT IIThe application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.Application Security and Development Security Technical Implementation Guide V-219155CAT IIAdvance package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238359CAT IIThe Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260476CAT IIIUbuntu 22.04 LTS must be configured so that the Advance Package Tool (APT) prevents the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-235788CAT IIIDocker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-266078CAT IIThe F5 BIG-IP appliance must be configured to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-230949CAT IIIForescout must prevent the installation of patches, service packs, plug-ins, or modules without verification the update has been digitally signed using a certificate that is recognized and approved by the organization.Forescout Network Device Management Security Technical Implementation Guide V-234220CAT IIThe FortiGate device must only install patches or updates that are validated by the vendor via digital signature or hash.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-65085CAT IIThe DataPower Gateway must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.IBM DataPower Network Device Management Security Technical Implementation Guide V-24363CAT IIA private web server must subscribe to certificates, issued from any DoD-authorized Certificate Authority, as an access control mechanism for web users. IBM Hardware Management Console (HMC) STIG V-238014CAT IIAdd-ins to Office applications must be signed by a Trusted Publisher.Microsoft Access 2016 Security Technical Implementation Guide V-238017CAT IITrust Bar Notifications for unsigned application add-ins must be blocked.Microsoft Access 2016 Security Technical Implementation Guide V-238176CAT IIAdd-ins to Office applications must be signed by a Trusted Publisher.Microsoft Excel 2016 Security Technical Implementation Guide V-238178CAT IITrust Bar Notifications for unsigned application add-ins must be blocked.Microsoft Excel 2016 Security Technical Implementation Guide V-221216CAT IIThe Exchange local machine policy must require signed scripts.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-228370CAT IIExchange Local machine policy must require signed scripts.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259589CAT IIExchange local machine policy must require signed scripts.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259664CAT IIExchange local machine policy must require signed scripts.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-223079CAT IIChecking for signatures on downloaded programs must be enforced.Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223281CAT IITrust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223290CAT IITrust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223337CAT IITrust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223375CAT IIProject must automatically disable unsigned add-ins without informing users.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223384CAT IIUnsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223391CAT IIPublisher must automatically disable unsigned add-ins without informing users.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223392CAT IIPublisher must disable all unsigned VBA macros.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223395CAT IIVisio must automatically disable unsigned add-ins without informing users.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223400CAT IIWord must automatically disable unsigned add-ins without informing users.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-238063CAT IIAdd-ins to Office applications must be signed by a Trusted Publisher.Microsoft PowerPoint 2016 Security Technical Implementation Guide V-238065CAT IITrust Bar Notifications for unsigned application add-ins must be blocked.Microsoft PowerPoint 2016 Security Technical Implementation Guide V-70715CAT IIAdd-ins to Office applications must be signed by a Trusted Publisher.Microsoft Project 2016 Security Technical Implementation Guide V-70719CAT IITrust Bar Notifications for unsigned application add-ins must be blocked.Microsoft Project 2016 Security Technical Implementation Guide V-238488CAT IIAdd-ins to Office applications must be signed by a Trusted Publisher.Microsoft Publisher 2016 Security Technical Implementation Guide V-238490CAT IITrust Bar Notifications for unsigned application add-ins must be blocked.Microsoft Publisher 2016 Security Technical Implementation Guide V-238114CAT IIAdd-ins to Office applications must be signed by a Trusted Publisher.Microsoft Visio 2016 Security Technical Implementation Guide V-238116CAT IITrust Bar Notifications for unsigned application add-ins must be blocked.Microsoft Visio 2016 Security Technical Implementation Guide V-238130CAT IIAdd-ins to Office applications must be signed by a Trusted Publisher.Microsoft Word 2016 Security Technical Implementation Guide V-238132CAT IITrust Bar Notifications for unsigned application add-ins must be blocked.Microsoft Word 2016 Security Technical Implementation Guide V-254191CAT IINutanix AOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-221653CAT IThe Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.Oracle Linux 7 Security Technical Implementation Guide V-221710CAT IThe Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Oracle Linux 7 Security Technical Implementation Guide V-221711CAT IThe Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Oracle Linux 7 Security Technical Implementation Guide V-256975CAT IIThe Oracle Linux operating system must ensure cryptographic verification of vendor software packages.Oracle Linux 7 Security Technical Implementation Guide V-248574CAT IYUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.Oracle Linux 8 Security Technical Implementation Guide V-248575CAT IOL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Oracle Linux 8 Security Technical Implementation Guide V-248576CAT IIOL 8 must prevent the loading of a new kernel for later execution.Oracle Linux 8 Security Technical Implementation Guide V-256978CAT IIOL 8 must ensure cryptographic verification of vendor software packages.Oracle Linux 8 Security Technical Implementation Guide V-268321CAT IIRancher RKE2 must be built from verified packages.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-204447CAT IThe Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204448CAT IThe Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-214799CAT IThe Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-256968CAT IIThe Red Hat Enterprise Linux operating system must ensure cryptographic verification of vendor software packages.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230264CAT IRHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230265CAT IRHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230266CAT IIRHEL 8 must prevent the loading of a new kernel for later execution.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-256973CAT IIRHEL 8 must ensure cryptographic verification of vendor software packages.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257799CAT IIRHEL 9 must prevent the loading of a new kernel for later execution.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257819CAT IIRHEL 9 must ensure cryptographic verification of vendor software packages.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257820CAT IRHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257821CAT IRHEL 9 must check the GPG signature of locally installed software packages before installation.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257822CAT IRHEL 9 must have GPG signature verification enabled for all software repositories.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257825CAT IIRHEL 9 subscription-manager package must be installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257537CAT IIOpenShift must verify container images.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-261274CAT IThe SLEM 5 tool zypper must have gpgcheck enabled.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217153CAT IIThe SUSE operating system tool zypper must have gpgcheck enabled.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-219969CAT IIThe system must verify that package updates are digitally signed.Solaris 11 SPARC Security Technical Implementation Guide V-219997CAT IIThe system must verify that package updates are digitally signed.Solaris 11 X86 Security Technical Implementation Guide V-240978CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients, which will ensure the authenticity of communications sessions when answering requests from the Tanium Server.Tanium 7.0 Security Technical Implementation Guide V-241016CAT IIThe Tanium Server must protect the confidentiality and integrity of transmitted information with cryptographic signing capabilities enabled to ensure the authenticity of communications sessions when making requests from Tanium Clients.Tanium 7.0 Security Technical Implementation Guide V-241026CAT IIThe Tanium Server must be configured to only allow signed content to be imported.Tanium 7.0 Security Technical Implementation Guide V-234037CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.Tanium 7.3 Security Technical Implementation Guide V-234086CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.Tanium 7.3 Security Technical Implementation Guide V-234087CAT IIThe Tanium Server must be configured to only allow signed content to be imported.Tanium 7.3 Security Technical Implementation Guide V-254903CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254904CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253807CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.Tanium 7.x Security Technical Implementation Guide V-253845CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.Tanium 7.x Security Technical Implementation Guide V-253846CAT IIThe Tanium Server must be configured to allow only signed content to be imported.Tanium 7.x Security Technical Implementation Guide V-252930CAT ITOSS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-240056CAT IIHAProxy files must be verified for their integrity (checksums) before being added to the build systems.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240057CAT IIHAProxy expansion modules must be verified for their integrity (checksums) before being added to the build systems.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240235CAT IILighttpd files must be verified for their integrity before being added to a production web server.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240236CAT IILighttpd expansion modules must be verified for their integrity before being added to a production web server.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240512CAT IIThe RPM package management tool must cryptographically verify the authenticity of all software packages during installation.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-240781CAT IItc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240782CAT IItc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240934CAT IIPatches, service packs, and upgrades to the vAMI must be verifiably signed using a digital certificate that is recognized and approved by the organization.VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide V-239607CAT IIThe RPM package management tool must cryptographically verify the authenticity of all software packages during installation.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-241631CAT IItc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241632CAT IItc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256410CAT IThe ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified.VMware vSphere 7.0 ESXi Security Technical Implementation Guide V-256653CAT IIVAMI server binaries and libraries must be verified for their integrity.VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256680CAT IIESX Agent Manager application files must be verified for their integrity.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256681CAT IIESX Agent Manager must only run one webapp.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256713CAT IILookup Service application files must be verified for their integrity.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256714CAT IILookup Service must only run one webapp.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256618CAT IIPerformance Charts application files must be verified for their integrity.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256619CAT IIPerformance Charts must only run one webapp.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256530CAT IIThe Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256531CAT IIThe Photon operating system RPM package management tool must cryptographically verify the authenticity of all software packages during installation.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256532CAT IIThe Photon operating system YUM repository must cryptographically verify the authenticity of all software packages during installation.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256752CAT IIThe Security Token Service application files must be verified for their integrity.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256753CAT IIThe Security Token Service must only run one webapp.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256785CAT IIvSphere UI application files must be verified for their integrity.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-256786CAT IIvSphere UI plugins must be authorized before use.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-258746CAT IThe ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance level must be verified.VMware vSphere 8.0 ESXi Security Technical Implementation Guide V-258846CAT IThe Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-258864CAT IThe Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide