SA-19: Component Authenticity
Control Family:
Baselines:
- Low
N/A
- Moderate
N/A
- High
N/A
Control is withdrawn in the next version of this control set and incorporated into: SR-11: Component Authenticity.
Control Statement
The organization:
- Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
- Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].
Supplemental Guidance
Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT.
Control Enhancements
SA-19(1): Anti-Counterfeit Training
Baseline(s):
The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware).
SA-19(2): Configuration Control For Component Service / Repair
Baseline(s):
The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.
SA-19(3): Component Disposal
Baseline(s):
The organization disposes of information system components using [Assignment: organization-defined techniques and methods].
SA-19(4): Anti-Counterfeit Scanning
Baseline(s):
The organization scans for counterfeit information system components [Assignment: organization-defined frequency].