The Inner Circle

 View Only

NSA UEFI Secure Boot Customization

  • 1.  NSA UEFI Secure Boot Customization

    Posted Mar 22, 2023 12:58:00 AM
      |   view attached

    Hi All,

    The NSA just published a Cybersecurity Technical Report UEFI Secure Boot Customization

    Secure Boot is a boot integrity feature that is part of the Unified Extensible Firmware Interface (UEFI) industry standard. Most modern computer systems are delivered to customers with a standard Secure Boot policy installed. This document provides a comprehensive guide for customizing a Secure Boot policy to meet several use cases.

    Recommendations for system administrators and infrastructure owners:
     Machines running legacy BIOS or Compatibility Support Module (CSM) should be migrated to UEFI native mode.
     Secure Boot should be enabled on all endpoints and configured to audit firmware modules, expansion devices, and bootable OS images (sometimes referred to as Thorough Mode).
     Secure Boot should be customized, if necessary, to meet the needs of organizations and their supporting hardware and software.
     Firmware should be secured using a set of administrator passwords appropriate for a device's capabilities and use case.
     Firmware should be updated regularly and treated as importantly as operating system and application updates.
     A Trusted Platform Module (TPM) should be leveraged to check the integrity of firmware and the Secure Boot configuration.

    Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA