STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-14 — Signed Components

CCI-003992

Definition

Prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Parent Control

CM-14Signed ComponentsConfiguration Management

Linked STIG Checks (103)

V-273995CAT IIAmazon Linux 2023 must ensure cryptographic verification of vendor software packages.Amazon Linux 2023 Security Technical Implementation Guide V-273996CAT IAmazon Linux 2023 must check the GPG signature of locally installed software packages before installation.Amazon Linux 2023 Security Technical Implementation Guide V-273997CAT IAmazon Linux 2023 must check the GPG signature of software packages originating from external software repositories before installation.Amazon Linux 2023 Security Technical Implementation Guide V-273998CAT IAmazon Linux 2023 must have GPG signature verification enabled for all software repositories.Amazon Linux 2023 Security Technical Implementation Guide V-274177CAT IIAmazon Linux 2023 must prevent the loading of a new kernel for later execution.Amazon Linux 2023 Security Technical Implementation Guide V-268154CAT INixOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Anduril NixOS Security Technical Implementation Guide V-214238CAT IIExpansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-259509CAT IThe macOS system must apply gatekeeper settings to block applications from unidentified developers.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259512CAT IThe macOS system must enable Gatekeeper.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268508CAT IThe macOS system must apply gatekeeper settings to block applications from unidentified developers.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268511CAT IThe macOS system must enable gatekeeper.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277117CAT IThe macOS system must apply gatekeeper settings to block applications from unidentified developers.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277120CAT IThe macOS system must enable gatekeeper.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222513CAT IIThe application must have the capability to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.Application Security and Development Security Technical Implementation Guide V-204740CAT IIThe application server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate recognized and approved by the organization.Application Server Security Requirements Guide V-238359CAT IIThe Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260476CAT IIIUbuntu 22.04 LTS must be configured so that the Advance Package Tool (APT) prevents the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270695CAT IIIUbuntu 24.04 LTS Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu 24.04 LTS components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-263571CAT IIThe Central Log Server must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.Central Log Server Security Requirements Guide V-269163CAT IAlmaLinux OS 9 must check the GPG signature of software packages originating from external software repositories before installation.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269164CAT IAlmaLinux OS 9 must ensure cryptographic verification of vendor software packages.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269165CAT IAlmaLinux OS 9 must check the GPG signature of locally installed software packages before installation.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269166CAT IAlmaLinux OS 9 must check the GPG signature of repository metadata before package installation.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269167CAT IAlmaLinux OS 9 must have GPG signature verification enabled for all software repositories.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269168CAT IIAlmaLinux OS 9 must prevent the loading of a new kernel for later execution.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233064CAT IIThe container platform must be built from verified packages.Container Platform Security Requirements Guide V-233065CAT IIThe container platform must verify container images.Container Platform Security Requirements Guide V-263606CAT IIThe DBMS must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate recognized and approved by the organization.Database Security Requirements Guide V-269775CAT IIThe Dell OS10 Switch must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.Dell OS10 Switch NDM Security Technical Implementation Guide V-263628CAT IIThe DNS server implementation must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.Domain Name System (DNS) Security Requirements Guide V-230949CAT IIIForescout must prevent the installation of patches, service packs, plug-ins, or modules without verification the update has been digitally signed using a certificate that is recognized and approved by the organization.Forescout Network Device Management Security Technical Implementation Guide V-203720CAT IThe operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.General Purpose Operating System Security Requirements Guide V-268283CAT IIThe HYCU virtual appliance must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.HYCU Protege Security Technical Implementation Guide V-256885CAT IIA private web server must subscribe to certificates, issued from any DOD-authorized Certificate Authority (CA), as an access control mechanism for web users.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-205483CAT IIThe Mainframe Product must prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization.Mainframe Product Security Requirements Guide V-276269CAT IIAzure SQL Managed Instance must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate recognized and approved by the organization.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-259589CAT IIExchange local machine policy must require signed scripts.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259664CAT IIExchange local machine policy must require signed scripts.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-223281CAT IITrust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223290CAT IITrust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223337CAT IITrust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223375CAT IIProject must automatically disable unsigned add-ins without informing users.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223384CAT IIUnsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223391CAT IIPublisher must automatically disable unsigned add-ins without informing users.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223392CAT IIPublisher must disable all unsigned VBA macros.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223395CAT IIVisio must automatically disable unsigned add-ins without informing users.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-223400CAT IIWord must automatically disable unsigned add-ins without informing users.Microsoft Office 365 ProPlus Security Technical Implementation Guide V-260942CAT IIMKE must only run signed images.Mirantis Kubernetes Engine Security Technical Implementation Guide V-279398CAT IIMongoDB must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate recognized and approved by the organization.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-202047CAT IIThe network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.Network Device Management Security Requirements Guide V-279577CAT INutanix OS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221653CAT IThe Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.Oracle Linux 7 Security Technical Implementation Guide V-221710CAT IThe Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Oracle Linux 7 Security Technical Implementation Guide V-221711CAT IThe Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Oracle Linux 7 Security Technical Implementation Guide V-256975CAT IIThe Oracle Linux operating system must ensure cryptographic verification of vendor software packages.Oracle Linux 7 Security Technical Implementation Guide V-248574CAT IYUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.Oracle Linux 8 Security Technical Implementation Guide V-248575CAT IOL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Oracle Linux 8 Security Technical Implementation Guide V-248576CAT IIOL 8 must prevent the loading of a new kernel for later execution.Oracle Linux 8 Security Technical Implementation Guide V-256978CAT IIOL 8 must ensure cryptographic verification of vendor software packages.Oracle Linux 8 Security Technical Implementation Guide V-271523CAT IOL 9 must check the GPG signature of locally installed software packages before installation.Oracle Linux 9 Security Technical Implementation Guide V-271524CAT IOL 9 must check the GPG signature of software packages originating from external software repositories before installation.Oracle Linux 9 Security Technical Implementation Guide V-271525CAT IOL 9 must have GPG signature verification enabled for all software repositories.Oracle Linux 9 Security Technical Implementation Guide V-271526CAT IIOL 9 must ensure cryptographic verification of vendor software packages.Oracle Linux 9 Security Technical Implementation Guide V-271766CAT IIOL 9 must prevent the loading of a new kernel for later execution.Oracle Linux 9 Security Technical Implementation Guide V-280931CAT IIRHEL 10 must ensure cryptographic verification of vendor software packages.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280932CAT IRHEL 10 must check the GNU Privacy Guard (GPG) signature of software packages originating from external software repositories before installation.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280933CAT IRHEL 10 must check the GNU Privacy Guard (GPG) signature of locally installed software packages before installation.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280934CAT IRHEL 10 must have GNU Privacy Guard (GPG) signature verification enabled for all software repositories.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280952CAT IIRHEL 10 must have the "subscription-manager" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281307CAT IRHEL 10 must prevent the loading of a new kernel for later execution.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230264CAT IRHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230265CAT IRHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230266CAT IIRHEL 8 must prevent the loading of a new kernel for later execution.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-256973CAT IIRHEL 8 must ensure cryptographic verification of vendor software packages.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257799CAT IIRHEL 9 must prevent the loading of a new kernel for later execution.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257819CAT IIRHEL 9 must ensure cryptographic verification of vendor software packages.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257820CAT IRHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257821CAT IRHEL 9 must check the GPG signature of locally installed software packages before installation.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257822CAT IRHEL 9 must have GPG signature verification enabled for all software repositories.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257825CAT IIRHEL 9 subscription-manager package must be installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257537CAT IIOpenShift must verify container images.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257537CAT IIOpenShift must verify container images.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275571CAT IUbuntu OS must be configured so that the Advance Package Tool (APT) prevents the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate recognized and approved by the organization.Riverbed NetIM OS Security Technical Implementation Guide V-217153CAT IIThe SUSE operating system tool zypper must have gpgcheck enabled.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-219969CAT IIThe system must verify that package updates are digitally signed.Solaris 11 SPARC Security Technical Implementation Guide V-219997CAT IIThe system must verify that package updates are digitally signed.Solaris 11 X86 Security Technical Implementation Guide V-279251CAT IThe Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Symantec Edge SWG NDM Security Technical Implementation Guide V-254903CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254904CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253807CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.Tanium 7.x Security Technical Implementation Guide V-253845CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.Tanium 7.x Security Technical Implementation Guide V-253846CAT IIThe Tanium Server must be configured to allow only signed content to be imported.Tanium 7.x Security Technical Implementation Guide V-252930CAT ITOSS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282582CAT ITOSS 5 must ensure cryptographic verification of vendor software packages.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282583CAT ITOSS 5 must check the GPG signature of software packages originating from external software repositories before installation.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282584CAT ITOSS 5 must check the GPG signature of locally installed software packages before installation.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282585CAT ITOSS 5 must have GPG signature verification enabled for all software repositories.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282586CAT IITOSS 5 subscription-manager package must be installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234349CAT IIThe UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.Unified Endpoint Management Server Security Requirements Guide V-207472CAT IIThe VMM must prevent the installation of guest VMs, patches, service packs, device drivers, or VMM components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.Virtual Machine Manager Security Requirements Guide V-206372CAT IIAll web server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server.Web Server Security Requirements Guide V-206373CAT IIExpansion modules must be fully reviewed, tested, and signed before they can exist on a production web server.Web Server Security Requirements Guide V-269577CAT IXylok Security Suite must be running a supported version.Xylok Security Suite 20.x Security Technical Implementation Guide