Wave Systems Corp. (fka WAVXQ)

[toro1]

NIST.gov site draft publication

http://csrc.nist.gov/publications/PubsDrafts.html

Dec. 8, 2011

SP 800-155

DRAFT BIOS Integrity Measurement Guidelines

NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.

NIST requests comments on draft SP 800-155 by January 20, 2012. Please submit comments to 800-155comments@nist.gov, with "Comments SP 800-155" in the subject line.

BIOS Integrity
Measurement
Guidelines (Draft)
Recommendations of the National Institute
of Standards and Technology
Andrew Regenscheid
Karen Scarfone

Acknowledgments
The authors wish to thank their colleagues who reviewed drafts of this document and contributed to its
technical content. In particular, the authors would like to acknowledge the contributions of Greg
Kazmierczak and Robert Thibadeau of Wave Systems, and Kurt Roemer from Citrix, who provided
helpful comments and feedback on early drafts of this document. We would also like to thank our
colleagues at NIST that reviewed early drafts of this document, including Bill Burr, Donna Dodson, Tim
Polk, Matthew Scholl, Murugiah Souppaya, Bill Burr, and David Waltermire.
Abstract
This document outlines the security components and security guidelines needed to establish a secure
Basic Input/Output System (BIOS) integrity measurement and reporting chain. Unauthorized
modification of BIOS firmware constitutes a significant threat because of the BIOS’s unique and
privileged position within the PC architecture. The document focuses on two scenarios: detecting changes
to the system BIOS code stored on the system flash, and detecting changes to the system BIOS
configuration. The document is intended for hardware and software vendors that develop products that
can support secure BIOS integrity measurement mechanisms, and may also be of use for organizations
developing enterprise procurement or deployment strategies for these technologies.


Nice to see Wave employees in the thick of this.

Best,
toro