SR-4(3): Validate as Genuine and Not Altered

Parent Control:

SR-4: Provenance

Threats Addressed:


(Not part of any baseline)

Info icon.

Control is new to this version of the control set and incorporates the following control from the previous version: SA-12(10): Validate As Genuine And Not Altered.

Control Statement

Employ the following controls to validate that the system or system component received is genuine and has not been altered: [Assignment: organization-defined controls].

Supplemental Guidance

For many systems and system components, especially hardware, there are technical means to determine if the items are genuine or have been altered, including optical and nanotechnology tagging, physically unclonable functions, side-channel analysis, cryptographic hash verifications or digital signatures, and visible anti-tamper labels or stickers. Controls can also include monitoring for out of specification performance, which can be an indicator of tampering or counterfeits. Organizations may leverage supplier and contractor processes for validating that a system or component is genuine and has not been altered and for replacing a suspect system or component. Some indications of tampering may be visible and addressable before accepting delivery, such as inconsistent packaging, broken seals, and incorrect labels. When a system or system component is suspected of being altered or counterfeit, the supplier, contractor, or original equipment manufacturer may be able to replace the item or provide a forensic capability to determine the origin of the counterfeit or altered item. Organizations can provide training to personnel on how to identify suspicious system or component deliveries.