SR-11 Component Authenticity

Control

a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

b. Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].

Discussion

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

Related Controls

PE-3, SA-4, SI-7, SR-9, SR-10.

Enhancements

1

Component Authenticity | Anti-counterfeit Training

Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware).

Related: AT-3.

2

Component Authenticity | Configuration Control for Component Service and Repair

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components].

Related: CM-3, MA-2, MA-4, SA-10.

3

Component Authenticity | Anti-counterfeit Scanning

Scan for counterfeit system components [Assignment: organization-defined frequency].

The type of component determines the type of scanning to be conducted (e.g., web application scanning if the component is a web application).

Related: RA-5.