NSA, CISA Issue Baseboard Management Controller Cybersecurity Guidance

The National Security Agency and the Cybersecurity and Infrastructure Security Agency have released the “Harden Baseboard Management Controllers” cybersecurity information sheet to help baseboard management controllers protect their systems from cyberthreats.

According to the agencies, BMCs are prone to a variety of cyberthreats, including security solutions shutdown, data manipulation and malware infection. The damage could significantly impact an organization’s ability to remotely access network configuration and management resources because a BMC’s capabilities persist even if the server is shut down.

The recommendations in the guidance include imposing more secure BMC credentials and configurations, monitoring BMC integrity and establishing virtual network separation, NSA said.

The guidance follows the NSA’s release of a zero trust cybersecurity information sheet in March for identity, credential and access management. The Advancing Zero Trust Maturity Throughout the User Pillar guidance highlights how a mature zero trust architecture would help protect ICAM systems and includes recommendations on how to limit potential damages to systems.