The National Institute of Standards and Technology is seeking comments on new draft guidelines for securing basic input/output systems on servers, otherwise known as BIOS systems.
The draft publication, “BIOS Protections Guidelines for Servers” (NIST Special Publication 800-147B), addresses BIOS security in the varied architectures used by servers.
“While laptop and desktop computers have largely converged on a single architecture for system BIOS, server class systems have a more diverse set of architectures, and more mechanisms for updating or modifying the system BIOS,” said NIST’s Andrew Regenscheid.
Server manufacturers routinely update BIOS to fix bugs, patch vulnerabilities or support new hardware. However, while authorized updates to BIOS can improve functionality or security, unauthorized or malicious changes could be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations.
Comments on the draft must be emailed to 800-147comments@nist.gov by September 14.