SR-5(2): Assessments Prior to Selection, Acceptance, Modification, or Update

CSF v1.1 References:

Baselines:

(Not part of any baseline)

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: SA-12(7): Assessments Prior To Selection / Acceptance / Update.

Control Statement

Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

Supplemental Guidance

Organizational personnel or independent, external entities conduct assessments of systems, components, products, tools, and services to uncover evidence of tampering, unintentional and intentional vulnerabilities, or evidence of non-compliance with supply chain controls. These include malicious code, malicious processes, defective software, backdoors, and counterfeits. Assessments can include evaluations; design proposal reviews; visual or physical inspection; static and dynamic analyses; visual, x-ray, or magnetic particle inspections; simulations; white, gray, or black box testing; fuzz testing; stress testing; and penetration testing (see SR-6(1)). Evidence generated during assessments is documented for follow-on actions by organizations. The evidence generated during the organizational or independent assessments of supply chain elements may be used to improve supply chain processes and inform the supply chain risk management process. The evidence can be leveraged in follow-on assessments. Evidence and other documentation may be shared in accordance with organizational agreements.