|

 
|
| | Name : | Ron Crane | Organization : | N/A | Post Date : | 9/30/2005 |
| Section : | .20.6.6 | Page no. : | | Line no.: | | Comment : | 9b.
b. Vol. II, §6.6(c) requires that the Physical Configuration Audit "include a review of all drawings, specifications, technical data, and test data associated with the system
hardware." But this leaves gaping holes for unscrupulous vendors. For one thing, these requirement are vague, and could be construed by a less-than-thorough test lab not to
include reviews of firmware. For another, even if the test lab does a thorough job of reviewing the firmware, an unscrupulous vendor can simply ship hardware containing
firmware different from that which was reviewed. No one would ever know.
Third, no firmware review is required for COTS hardware. But an unscrupulous vendor could add a malware loader to COTS firmware, such as the video BIOS, then represent it as "unchanged", and therefore not in need of inspection.
Nothing in the Guidelines would
assist the discovery of this subterfuge. | |
|
|