NI provides these resources to help your team meet the requirements of CMMC.
LOVs provide a list of volatile and non-volatile memory locations, with instructions for clearing those memory locations. NI provides LOVs for most NI hardware products. LOVs are available with product documents at ni.com/docs, or at ni.com/letters-of-volatility.
SBOMs provide a complete list of software installed with and used by a software application. An SBOM gives an end user a single document to understand the components used in the software. This list can accelerate system checks when a vulnerability is discovered so that a reaction plan can be put into effect as fast as possible.
NI generates SBOMs for software products and we use these to identify vulnerabilities in components and to manage updates when necessary. For security reasons, NI does not publish these SBOMs publicly. If you need an SBOM for an NI software product, contact security@ni.com and we will discuss options with you.
Free (Libre) Open Source Software (FOSS or FLOSS) may incur certain usage or license restrictions on end users. NI software may contain open source software, and NI works to comply with all of the license terms of that software. Copies of software licenses (open source and non-open source) are available after installation in the Program Files(x86)\National Instruments\_Legal Information\ folder. NI's SBOMs can also be used to track license information.
Software developers may need to perform static code analysis to identify vulnerable components and non-secure coding practices. Many static code analysis tools are available on the market for text-based tools. However, LabVIEW's graphical programming environment presents a unique challenge for these tools.
To meet this need for a tool compatible with LabVIEW, some users use the VI Analyzer included with LabVIEW. VI Analyzer scans for code quality practices, not security issues. But these are tightly linked and VI Analyzer can help identify code issues that make a LabVIEW VI less secure.
For a more complete static analysis tool, JKI makes a full-feature static analysis tool called J-Crawler. This tool can generate a full SBOM including code components added by the LabVIEW developer, and looks for most common code issues that make LabVIEW code less secure. For more information on J-Crawler visit http://jki.net
NI provides guidance to help customers configure products to improve the security features of the products. Follow these links for documents to help you use NI products in the most secure way possible:
For some products, NI publishes a compliance guide detailing how these products meet the requirements of NIST 800-171, or what actions you need to take as the end user to meet them. The following compliance guides are available upon request to security@ni.com:
The US Defense Information Systems Agency (DISA) maintains a database of Secure Technology Implementation Guides (STIGs) at public.cyber.mil/stigs/. Before posting a STIG, DISA works with the supplier to understand the product at and approve the STIG.
NI is working with DISA to publish STIGs for different products. After working through the STIG process for LabVIEW, DISA determined that LabVIEW does not require a STIG because the end user builds an application using LabVIEW, and that application is where most of the secure configurations reside. In place of a STIG for LabVIEW, use the secure configuration guide listed above.
As additional STIGs are approved and posted by DISA, we will update this document with links.
Linux® is used pursuant to a sublicense from LMI, the exclusive licensee of Linus Torvalds, owner of the mark on a worldwide basis.