SR-11: Component Authenticity
Control Family:
Threats Addressed:
Control is new to this version of the control set and incorporates the following control from the previous version: SA-19: Component Authenticity.
Control Statement
- Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and
- Report counterfeit system components to [Assignment (one or more): source of counterfeit component, [Assignment: organization-defined external reporting organizations] , [Assignment: organization-defined personnel or roles] ].
Supplemental Guidance
Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.
Control Enhancements
SR-11(1): Anti-counterfeit Training
Baseline(s):
- Low
- Moderate
- High
Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware).
SR-11(2): Configuration Control for Component Service and Repair
Baseline(s):
- Low
- Moderate
- High
Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components].
SR-11(3): Anti-counterfeit Scanning
Baseline(s):
Scan for counterfeit system components [Assignment: organization-defined frequency].