An official website of the United States government
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Dec. 11, 2025

NSA Releases Unified Extensible Firmware Interface Secure Boot Guidance

FORT MEADE, Md. – The National Security Agency (NSA) is releasing the Cybersecurity Information Sheet (CSI) “Guidance for Managing UEFI Secure Boot” to provide guidance on addressing Secure Boot configuration challenges.

Modern user devices boot so quickly that the actions of Secure Boot may seem invisible. This does not diminish the vital role Secure Boot plays in constraining boot binaries to those which are necessary for the device to boot and deemed trustworthy by the device owner.

Introduced to the Unified Extensible Firmware Interface (UEFI) industry standard in the mid-2000s as a security policy and device enforcement mechanism, Secure Boot is one of several solutions capable of limiting which software—including bootkits—may be executed during the device boot process of computing devices. 

The default Secure Boot settings that come with most devices will prevent unsigned and unknown boot software from executing, while being fairly open to allow many mainstream operating system distributions. NSA previously published configuration guidance and customization instructions for organizations to further limit which operating system distributions and other boot software can run.

However, recent publicized vulnerabilities—PKFail, BlackLotus, and BootHole—have showcased the need for proper Secure Boot configuration on enterprise devices. This CSI clarifies what correct Secure Boot configuration looks like and provides guidance for system owners to query Secure Boot configuration, compare observed results to industry norms, and both recognize and recover from detected problems or misconfigurations. 

Organizations that neglect Secure Boot configuration may be at a greater risk of exposure to bootkits and other persistence techniques. 

The report was developed in furtherance of NSA’s cybersecurity missions, including its responsibilities to identify and disseminate threats to National Security Systems, the Department of War, and Defense Industrial Base information systems. Therefore, information technology administrators and managers are encouraged to review this guidance on how to check for proper Secure Boot configuration, verify enforcement of Secure Boot policies at boot time, and confirm that those policies are configured correctly. 

Read the full report here.

For further guidance on boot security, review “Boot Security Modes and Recommendations” and “UEFI Secure Boot Customization”. 

Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

Related Documents

CSI: Guidance for Managing UEFI Secure Boot
secure boot Unified Extensible Firmware Interface UEFI bootkits firmware boot security firmware security Bios SCRM cybersecurity Cybersecurity Information Sheet CSI
Hosted by Defense Media Activity - WEB.mil Veterans Crisis Line number. Dial 988 then Press 1