The National Institute of Standards and Technology outlines in a draft specification posted online Dec. 9 how a "roots of trust" cybersecurity model might operate at the level of computer BIOS.

Roots of trust is a term NIST has taken to use when describing a cybersecurity paradigm based on unconditionally trusted system functions, such as boot system firmware like the Basic Input/Output System.

In order to place BIOS into the category of unconditional trust, the draft specification says BIOS would have to be subject to a integrity measurement system that would report to a measurement assessment authority, such as the local IT department.

It all begins with the configuration of the BIOS itself, which would connect to a network in a safe baseline condition, either based on certification to that effect from the original equipment manufacturer or reseller, or based an IT administrator's assessment during initial provisioning. If the BIOS requires legitimate updating, the record of ideal characteristics--what the special publication calls "golden measurements"--change with it.

Thereafter, during boot up, a trusted tool takes measurements of the BIOS configuration settings and stores an encrypted log of them. The measurement assessment authority can generate a request for the log, handing off the request to a number of agents--transmission, collection, reporting and back again in reverse order with an extra stop to a verification agent--and receive the results via a user interface such as a dashboard.

The special publication envisions such a system becoming "simply another standard offering of IT services."

For more:
- download the  draft of SP 800-155 (.pdf)

Related Articles:
'Trusted roots' could hold key to info system security 
NIST releases continuous monitoring guidance 
Federal officials launch FedRamp 
NICE releases cybersecurity workforce taxonomy