What to Ask When Auditing Firmware Security

What to ask when auditing firmware security compliance
Subscribe to Eclypsium’s Threat Report

Everything you need to know when auditing a company’s firmware and hardware security compliance.

Click here to download examples of some questions to ask when auditing firmware and hardware.

Join Eclypsium VP of Federal Technology, John Loucadies, on May 26, 2021, for a discussion on questions auditors should be asking when evaluating firmware compliance.

As an auditor, you meticulously comb through the requirements and keep organizations accountable for compliance. Recently, you may have noticed firmware and hardware introduced in compliance standards, including NIST 800-53 Rev. 5, PCI DSS, FedRAMP, NIST 800-171, and Cybersecurity Maturity Model Certification (CMMC). But what does this mean, and what should you be looking for?

Firmware and hardware are subject to many of the same bugs and vulnerabilities that plague software, and the risk management process should extend down to these levels. In the past, this has been difficult because tools to enumerate the many components of a device,  inspect firmware for vulnerabilities, or check for unauthorized modifications are specialized. While most organizations cannot afford teams of firmware experts, attackers continue to take advantage of this gap. Auditors can identify these gaps and help organizations resolve them before they are exploited. 

With new tools now available, it is appropriate for an auditor to ask how an organization is achieving the same level of compliance discipline at the firmware and hardware layer as they do the operating system and application. Below are examples of some questions to ask during an audit based on NIST 800-53 Rev. 5 and ways organizations can provide proof of compliance.

Tools make all the difference both in verifying due diligence and implementing these controls within an organization. When working to bring an organization into compliance, a scan tool on each endpoint can coalesce these device details into one place for analysis. From there, the inventory becomes clear, vulnerabilities can be identified, remediation steps can be prioritized, and threats can be hunted down. 

Questions can quickly reveal the actionable next steps organizations must take to become compliant. For example, if a critical issue or backdoor were found in a particular network card or chipset, would the organization be able to find all the affected devices? If OS and application updates are being managed, will the same process also cover BIOS and other component firmware? Are any checks in place to discover firmware-level tampering or counterfeiting? This allows auditors to build a path forward and ensure compliance is being met.  

Eclypsium enables component-level inventory, risk management, and threat detection across the enterprise. Findings are automatically mapped to NIST Special Publications relevant to firmware and hardware. This information supports evidence of relevant controls in the environment.

Download sample questions to ask during an audit here.