Does your organization have a process to monitor hardware and software for signs of tampering?
Explanation
Hardware and software tampering can introduce unauthorized modifications, backdoors, or malicious code that compromise system integrity and security. Effective monitoring includes regular physical inspections of hardware seals/chassis, verification of firmware/software checksums, and automated tools that detect unexpected changes to system configurations or files.
Evidence could include documented monitoring procedures, logs from tamper-detection systems, results from integrity verification tools (like Tripwire or AIDE), hardware inspection checklists, or reports from security information and event management (SIEM) systems that flag potential tampering events.
Implementation Example
Monitor hardware and software for signs of tampering
ID: DE.CM-09.288
Context
- Function
- DE: DETECT
- Category
- DE.CM: Continuous Monitoring
- Sub-Category
- Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
Related questions
- Does your organization have a system in place to monitor DNS, BGP, and other critical network services for suspicious or malicious activities?
- Does your organization implement network monitoring controls to detect and alert on unauthorized endpoint connections to both wired and wireless networks?
- Does your organization have a process to regularly monitor facilities for unauthorized or rogue wireless networks?
- Does your organization regularly compare actual network traffic flows against established baselines to detect and investigate deviations?
- Does your organization continuously monitor network communications to detect changes in security postures as part of a zero trust architecture?
- Does your organization monitor physical access control logs for unusual patterns and failed access attempts?

