SA-12: Supply Chain Protection
Control Family:
Baselines:
- Low
N/A
- Moderate
N/A
- High
- SA-12
Control is withdrawn in the next version of this control set and incorporated into: SR: Supply Chain Risk Management.
Control Statement
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
Supplemental Guidance
Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.
Control Enhancements
SA-12(1): Acquisition Strategies / Tools / Methods
Baseline(s):
The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers.
SA-12(2): Supplier Reviews
Baseline(s):
The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.
SA-12(5): Limitation Of Harm
Baseline(s):
The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain.
SA-12(7): Assessments Prior To Selection / Acceptance / Update
Baseline(s):
The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.
SA-12(8): Use Of All-Source Intelligence
Baseline(s):
The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.
SA-12(9): Operations Security
Baseline(s):
The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.
SA-12(10): Validate As Genuine And Not Altered
Baseline(s):
The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered.
SA-12(11): Penetration Testing / Analysis Of Elements, Processes, And Actors
Baseline(s):
The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service.
SA-12(12): Inter-Organizational Agreements
Baseline(s):
The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service.
SA-12(13): Critical Information System Components
Baseline(s):
The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components].
SA-12(14): Identity And Traceability
Baseline(s):
The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service.
SA-12(15): Processes To Address Weaknesses Or Deficiencies
Baseline(s):
The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.