SR 11 COMPONENT AUTHENTICITY - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki
Control:
- a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and
- b. Report counterfeit system components to [ Selection (one or more): source of counterfeit component; [ Assignment: organization-defined external reporting organizations ] ; [ Assignment: organization-defined personnel or roles ]].
Discussion: Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.
Related Controls: PE-3 , SA-4 , SI-7 , SR-9 , SR-10.
Control Enhancements:
-
(1) COMPONENT AUTHENTICITY / ANTI-COUNTERFEIT TRAINING
Train [ Assignment: organization-defined personnel or roles ] to detect counterfeit system components (including hardware, software, and firmware).Discussion: None.
Related Controls: AT-3.
-
(2) COMPONENT AUTHENTICITY / CONFIGURATION CONTROL FOR COMPONENT SERVICE AND REPAIR
Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [ Assignment: organization-defined system components ].Discussion: None.
Related Controls: CM-3 , MA-2 , MA-4 , SA-10.
-
(3) COMPONENT AUTHENTICITY / ANTI-COUNTERFEIT SCANNING
Scan for counterfeit system components [ Assignment: organization-defined frequency ].Discussion: The type of component determines the type of scanning to be conducted (e.g., web application scanning if the component is a web application).
Related Controls: RA-5.
References: [ISO 20243].