Back

Establish, implement, and maintain digital signatures.


CONTROL ID
13828
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Manage the use of encryption controls and cryptographic controls., CC ID: 00570

This Control has the following implementation support Control(s):
  • Include the expiration date in digital signatures., CC ID: 13833
  • Include audience restrictions in digital signatures., CC ID: 13834
  • Include the subject in digital signatures., CC ID: 13832
  • Include the issuer in digital signatures., CC ID: 13831
  • Include identifiers in the digital signature., CC ID: 13829
  • Generate and protect a secret random number for each digital signature., CC ID: 06577
  • Establish the security strength requirements for the digital signature process., CC ID: 06578


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The FI should implement transaction-signing (e.g. digital signatures) for authorising high-risk activities to protect the integrity of customer accounts' data and transaction details. High-risk activities include changes to sensitive customer data (e.g. customer office and home address, email and te… (§ 14.2.3, Technology Risk Management Guidelines, January 2021)
  • DKIM signing is enabled on emails originating from an organisation's domains. (Security Control: 0861; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Each device shall have a unique visible identifier affixed to it or should be identifiable using secure, cryptographically protected methods. (J7, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
  • Verify that encrypted data is authenticated via signatures, authenticated cipher modes, or HMAC to ensure that ciphertext is not altered by an unauthorized party. (6.2.7, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify the device uses code signing and validates code before execution. (C.30, Application Security Verification Standard 4.0.3, 4.0.3)
  • Digitally signed by a trusted entity (e.g., the identity provider). (§ 5.6.4 ¶ 1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Previously collected biometric data MAY be reused with the new PIV Card if the expiration date of the new PIV Card is no later than 12 years after the date that the biometric data was obtained. As biometric system error rates generally increase with the time elapsed since initial collection (referen… (2.9.1 ¶ 7, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • The public key required to verify the digital signature SHALL be in a content signing certificate, which SHALL be issued under the id-fpki-common-piv-contentSigning policy of [COMMON] and SHALL include an extended key usage (extKeyUsage) extension asserting id-PIV-content-signing. The signature on t… (4.2.3.2 ¶ 4, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the network environment or enclave. (T0310, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)