Skip to main content

AST-18: Roots of Trust Protection

AST 4 — Medium Protect

Mechanisms exist to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification.

Control Question: Does the organization provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification?

General (6)
Framework Mapping Values
IEC 62443-4-2 2019 EDR 3.13 (13.8.1(a)) HDR 3.12 (14.7.1) HDR 3.13 (14.8.1(a)) HDR 3.13 (14.8.1(b)) NDR 3.12 (15.9.1) NDR 3.13 (15.10.1(a))
NIST 800-172 3.14.1e
NIST CSF 2.0 (source) ID.RA-09
SCF CORE ESP Level 1 Foundational AST-18
SCF CORE ESP Level 2 Critical Infrastructure AST-18
SCF CORE ESP Level 3 Advanced Threats AST-18
US (2)
Framework Mapping Values
US CMMC 2.0 Level 3 (source) SI.L3-3.14.1E
US DoD Zero Trust Reference Architecture 2.0 4.2
EMEA (1)
Framework Mapping Values
EMEA Saudi Arabia IoT CGIoT-1 2024 2-15-1
APAC (1)
Framework Mapping Values
APAC Australia IoT Code of Practice Principle 4 Principle 7

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification.

Level 3 — Well Defined

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
  • An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
  • Technology assets and data are categorized according to data classification and business criticality criteria.
  • A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
  • Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
  • A Supply Chain Risk Management (SCRM) program oversees supply chain risks, including “roots of trust” protections to ensure the chain of custody is intact to help ensure the likelihood of tampering or substitution is minimized.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification.

Assessment Objectives

  1. AST-18_A01 security-critical or essential software is defined.
  2. AST-18_A02 root of trust mechanisms or cryptographic signatures are identified.
  3. AST-18_A03 the integrity of security critical or essential software is verified using root of trust mechanisms or cryptographic signatures.

Evidence Requirements

E-AST-26 Roots of Trust Evidence

Documented evidence of product supplier data that can be used as a “roots of trust” basis for integrity verification.

Asset Management

Technology Recommendations

Micro/Small

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)

Small

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)

Medium

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)

Large

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)

Enterprise

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free