Supply chain risk management

On this page

• SR-01 Supply chain risk management policy and procedures
• SR-02 Supply chain risk management plan
• SR-03 Supply chain controls and processes
• SR-04 Provenance
• SR-05 Acquisition strategies, tools, and methods
• SR-06 Supplier assessments and reviews
• SR-07 Supply chain operations security
• SR-08 Notification agreements
• SR-09 Tamper resistance and detection
• SR-10 Inspection of systems or components
• SR-11 Component authenticity
• SR-12 Component disposal

The controls in the Supply chain risk management (SR) family support the mitigation of cyber security risks within the supply chain at all levels of an organization.

SR-01 Supply chain risk management policy and procedures

Activity

1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
   1. [Selection (1 or more): Organization-level; Mission/business process-level; System-level] supply chain risk management (SCRM) policy that
      1. addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
      2. is consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines
   2. procedures to facilitate the implementation of the SCRM policy and the associated SCRM controls
2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the SCRM policy and procedures
3. Review and update the current SCRM
   1. policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
   2. procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

SCRM policy and procedures address the controls in the SR family, as well as supply chain-related controls in other families, that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of SCRM policy and procedures.

In general, security and privacy program policies and procedures at the organization level are preferable and may remove the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations.

Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents.

Events that may precipitate an update to SCRM policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Related controls and activities

PM-09, PM-30, PS-08, SI-02, SI-12.

Enhancements

None.

References

• TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control
• CSE-RCMP Harmonized Threat and Risk Assessment Methodology (TRA-1)
• TBS Guide to Integrated Risk Management
• Protecting your organization from software supply chain threats (ITSM.10.071)
• Cyber supply chain: An approach to assessing risk (ITSAP.10.070)
• Supply chain security for small and medium-sized organizations (ITSAP.00.070)
• Public Safety Canada Risk Management Guide for Critical Infrastructure Sectors

SR-02 Supply chain risk management plan

Activity

1. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services]
2. Review and update the SCRM plan [Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes
3. Protect the SCRM plan from unauthorized disclosure and modification

Discussion

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain.

Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or Canada. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders.

SCRM activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system level) is implementation-specific and provides policy implementation, requirements, constraints, and implications. It can either be standalone or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementing, and monitoring SCRM controls and the development/sustainment of systems across the system development lifecycle (SDLC) to support mission and business functions.

Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose and, as such, the controls need to be tailored accordingly.

Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. SCRM plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities.

Finally, SCRM plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of lifecycle-based systems security engineering processes (see SA-08).

Related controls and activities

CA-02, CP-04, IR-04, MA-02, MA-06, PE-16, PL-02, PM-09, PM-30, RA-03, RA-07, SA-08, SI-04.

Enhancements

• (01) Supply chain risk management plan: Establish a SCRM team
  • Establish a SCRM team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined SCRM activities].
  • Discussion: To implement SCRM plans, organizations should establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM.
    The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, IT, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems.
    The SCRM team can be an extension of the security and privacy risk management processes or can be included as part of an organizational risk management team.
  • Related controls and activities: None.

References

• TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control
• TBS Directive on Security Management: Appendix F: Mandatory Procedures for Security in Contracts and Other Arrangements Control
• Protecting your organization from software supply chain threats (ITSM.10.071)

SR-03 Supply chain controls and processes

Control

1. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]
2. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]
3. Document the selected and implemented supply chain processes and controls in [Selection (1): security and privacy plans; SCRM plan; [Assignment: organization-defined document]]

Discussion

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components.

Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

Related controls and activities

CA-02, MA-02, MA-06, PE-03, PE-16, PL-08, PM-30, SA-02, SA-03, SA-04, SA-05, SA-08, SA-09, SA-10, SA-15, SC-07, SC-29, SC-30, SC-38, SI-07, SR-06, SR-09, SR-11.

Enhancements

• (01) Supply chain controls and processes: Diverse supply base
  • Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services].
  • Discussion: Diversifying the supply of systems, system components, and services can reduce the probability that adversaries will successfully identify and target the supply chain and can reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for replacement components can reduce the probability that the replacement component will become unavailable. Employing a diverse set of developers or logistics service providers can reduce the impact of a natural disaster or other supply chain event. Organizations should consider designing the system to include diverse materials and components.
  • Related controls and activities: None.
• (02) Supply chain controls and processes: Limitation of harm
  • Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [Assignment: organization-defined controls].
  • Discussion: Controls that can be implemented to reduce the probability of adversaries successfully identifying and targeting the supply chain include avoiding the purchase of custom or non-standardized configurations, employing approved vendor lists with standing reputations in industry, following pre-agreed maintenance schedules and update and patch delivery mechanisms, maintaining a contingency plan in case of a supply chain event, using procurement carve-outs that provide exclusions to commitments or obligations, using diverse delivery routes, and minimizing the time between purchase decisions and delivery.
  • Related controls and activities: None.
• (03) Supply chain controls and processes: Sub-tier flow-down
  • Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.
  • Discussion: To manage supply chain risk effectively and holistically, it is important that organizations ensure that SCRM controls are included at all tiers in the supply chain. This includes ensuring that prime contractors have implemented processes to facilitate the flow-down of SCRM controls to subcontractors. The controls subject to flow-down are identified in SR-03B.
  • Related controls and activities: SR-05, SR-08.

References

• Protecting your organization from software supply chain threats (ITSM.10.071)
• Cyber supply chain: An approach to assessing risk (ITSAP.10.070)
• Public Safety Canada Risk Management Guide for Critical Infrastructure Sectors
• PSPC Contract Security Manual
• ISO 20243-1 Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products

SR-04 Provenance

Control

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data].

Discussion

Every system and system component has a point of origin and may be changed throughout their existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data.

Organizations should consider developing procedures (see SR-01) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations should have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data.

These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. Provenance considerations are addressed throughout the system development lifecycle and incorporated into contracts and other arrangements, as appropriate.

Related controls and activities

CM-08, MA-02, MA-06, RA-09, SA-03, SA-08, SI-04.

Enhancements

• (01) Provenance: Identity
  • Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: [Assignment: organization-defined supply chain elements, processes, and personnel associated with organization-defined systems and critical system components].
  • Discussion: Knowing who and what is in the supply chains of organizations is critical to gaining visibility into supply chain activities. Visibility into supply chain activities is also important for monitoring and identifying high-risk events and activities. Without reasonable visibility into supply chain elements, processes, and personnel, it is very difficult for organizations to understand and manage risk and reduce their susceptibility to adverse events.
    Supply chain elements include organizations, entities, or tools used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems and system components. Supply chain processes include development processes for hardware, software, and firmware; shipping and handling procedures; configuration management tools, techniques, and measures to maintain provenance; personnel and physical security programs; or other programs, processes, or procedures associated with the production and distribution of supply chain elements.
    Supply chain personnel are individuals with specific roles and responsibilities related to the secure the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of a system or system component. Identification methods are sufficient to support an investigation in case of a supply chain change (e.g., if a supply company is purchased), compromise, or event.
  • Related controls and activities: IA-02, IA-08, PE-16.
• (02) Provenance: Track and trace
  • Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: [Assignment: organization-defined systems and critical system components].
  • Discussion: Tracking the unique identification of systems and system components during development and transport activities provides a foundational identity structure for establishing and maintaining of provenance. For example, system components may be labelled using serial numbers or tagged using radio-frequency identification tags. Labels and tags can help provide better visibility into the provenance of a system or system component. A system or system component may have more than one unique identifier. Identification methods are sufficient to support a forensic investigation after a supply chain compromise or event.
  • Related controls and activities: IA-02, IA-08, PE-16, PL-02.
• (03) Provenance: Validate as genuine and not altered
  • Employ the following controls to validate that the system or system component received is genuine and has not been altered: [Assignment: organization-defined controls].
  • Discussion: For many systems and system components, especially hardware, there are technical means to determine if the items are genuine or have been altered, including optical and nanotechnology tagging, physically unclonable functions, side-channel analysis, cryptographic hash verifications or digital signatures, and visible anti-tamper labels or stickers. Controls can also include monitoring for out-of-specification performance, which can be an indicator of tampering or counterfeits.
    Organizations may leverage supplier and contractor processes for validating that a system or component is genuine and has not been altered and for replacing a suspect system or component. Some indications of tampering may be visible and addressable before accepting delivery, such as inconsistent packaging, broken seals, and incorrect labels. When a system or system component is suspected of being altered or counterfeit, the supplier, contractor, or original equipment manufacturer may be able to replace the item or provide a forensic capability to determine the origin of the counterfeit or altered item. Organizations can provide training to personnel on how to identify suspicious system or component deliveries.
  • Related controls and activities: AT-03, SR-09, SR-10, SR-11.
• (04) Provenance: Supply chain integrity — pedigree
  • Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.
  • Discussion: Authoritative information regarding the internal composition of system components and the provenance of technology, products, and services provides a strong basis for trust. The validation of the internal composition and provenance of technologies, products, and services is referred to as the pedigree. For microelectronics, this includes material composition of components. For software, this includes the composition of open-source and proprietary code, including the version of the component at a given point in time.
    Pedigrees increase the assurance that the claims suppliers assert about the internal composition and provenance of the products, services, and technologies they provide are valid. The validation of the internal composition and provenance can be achieved by various evidentiary artifacts or records that manufacturers and suppliers produce during the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of technology, products, and services.
    Evidentiary artifacts include, but are not limited to, software identification (SWID) tags, software component inventory, the manufacturers’ declarations of platform attributes (e.g., serial numbers, hardware component inventory), and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself.
  • Related controls and activities: RA-03.

References

• Protecting your organization from software supply chain threats (ITSM.10.071)
• ISO 27036-1 Cybersecurity — Supplier relationships — Part 1: Overview and concepts
• ISO 27036-2 Cybersecurity — Supplier relationships — Part 2: Requirements
• ISO 20243-1 Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products
• Cyber supply chain: An approach to assessing risk (ITSAP.10.070)
• Public Safety Canada Risk Management Guide for Critical Infrastructure Sectors

SR-05 Acquisition strategies, tools, and methods

Control

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods].

Discussion

Using an acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation.

Tools and techniques may provide protection against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development lifecycle. Organizations should also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers.

Organizations should consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

Related controls and activities

AT-03, SA-02, SA-03, SA-04, SA-05, SA-08, SA-09, SA-10, SA-15, SR-06, SR-09, SR-10, SR-11.

Enhancements

• (01) Acquisition strategies, tools, and methods: Adequate supply
  • Employ the following controls to ensure an adequate supply of [Assignment: organization-defined critical system components]: [Assignment: organization-defined controls].
  • Discussion: Adversaries can attempt to impede organizational operations by disrupting the supply of critical system components or corrupting supplier operations. Organizations may track systems and component mean time to failure to mitigate the loss of temporary or permanent system function. Controls to ensure that adequate supplies of critical system components include using multiple suppliers throughout the supply chain for the identified critical components, stockpiling spare components to ensure operation during mission-critical times, and identifying functionally identical or similar components that may be used, if necessary.
  • Related controls and activities: RA-09.
• (02) Acquisition strategies, tools, and methods: Assessments prior to selection, acceptance, modification, or update
  • Assess the system, system component, or system service prior to selection, acceptance, modification, or update.
  • Discussion: Organizational personnel or independent, external entities should conduct assessments of systems, components, products, tools, and services to uncover evidence of tampering, unintentional and intentional vulnerabilities, or evidence of non-compliance with supply chain controls. These include malicious code, malicious processes, defective software, backdoors, and counterfeits.
    Assessments can include evaluations; design proposal reviews; visual or physical inspections; static and dynamic analyses; visual, x-ray, or magnetic particle inspections; simulations; white-, grey-, or black-box testing; fuzz testing; stress testing; and penetration testing (see SR-06(01)). Evidence generated during assessments should be documented for follow-on actions by organizations.
    The evidence generated during the organizational or independent assessments of supply chain elements may be used to improve supply chain processes and inform the SCRM process. The evidence can be leveraged in follow-on assessments. Evidence and other documentation may be shared in accordance with organizational agreements.
  • Related controls and activities: CA-08, RA-05, SA-11, SI-07.

References

• TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control
• TBS Directive on Security Management: Appendix F: Mandatory Procedures for Security in Contracts and Other Arrangements Control
• Protecting your organization from software supply chain threats (ITSM.10.071)
• PSPC Contract Security Manual
• ISO 27036-1 Cybersecurity — Supplier relationships — Part 1: Overview and concepts
• ISO 27036-2 Cybersecurity — Supplier relationships — Part 2: Requirements
• ISO 20243-1 Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products

SR-06 Supplier assessments and reviews

Control

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].

Discussion

An assessment and review of supplier risk includes security and SCRM processes, foreign ownership, control, or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews should consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor.

Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

Related controls and activities

SR-03, SR-05.

Enhancements

• (01) Supplier assessments and reviews: Testing and analysis
  • Employ [Selection (1 or more): organizational analysis; independent third-party analysis; organizational testing; independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organization-defined supply chain elements, processes, and actors].
  • Discussion: Relationships between entities and procedures within the supply chain, including development and delivery, are considered. Supply chain elements include organizations, entities, or tools that are used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems, system components, or system services.
    Supply chain processes include SCRM programs; SCRM strategies and implementation plans; personnel and physical security programs; hardware, software, and firmware development processes; configuration management tools, techniques, and measures to maintain provenance; shipping and handling procedures; and programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated and collected during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions.
  • Related controls and activities: CA-08, SI-04.

References

• TBS Directive on Security Management: Appendix F: Mandatory Procedures for Security in Contracts and Other Arrangements Control
• Protecting your organization from software supply chain threats (ITSM.10.071)
• Cyber supply chain: An approach to assessing risk (ITSAP.10.070)
• ISO 27036-1 Cybersecurity — Supplier relationships — Part 1: Overview and concepts
• ISO 27036-2 Cybersecurity — Supplier relationships — Part 2: Requirements
• ISO 20243-1 Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products
• NIST FIPS 140-3 Security Requirements for Cryptographic Modules
• NIST FIPS 186-5 Digital Signature Standard (DSS)
• NIST FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

SR-07 Supply chain operations security

Control

Employ the following OPSEC controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined OPSEC controls].

Discussion

Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information; analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries; determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations; implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level; and considering how aggregated information may expose users or specific uses of the supply chain.

Supply chain information includes user identities; uses for systems, system components, and system services; supplier identities; security and privacy requirements; system and component configurations; supplier processes; design specifications; and testing and evaluation results.

Supply chain OPSEC may require organizations to withhold mission or business information from suppliers and may include the use of intermediaries to hide the end use or users of systems, system components, or system services.

Related controls and activities

SC-38.

Enhancements

None.

References

• Protecting your organization from software supply chain threats (ITSM.10.071)
• ISO 27036-1 Cybersecurity — Supplier relationships — Part 1: Overview and concepts
• ISO 27036-2 Cybersecurity — Supplier relationships — Part 2: Requirements

SR-08 Notification agreements

Control

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (1 or more): notification of supply chain compromises; results of assessments or audits; [Assignment: organization-defined information]].

Discussion

The establishment of agreements and procedures facilitates communication among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

Related controls and activities

IR-04, IR-06, IR-08, SI-02.

Enhancements

None.

References

• Protecting your organization from software supply chain threats (ITSM.10.071)
• ISO 27036-1 Cybersecurity — Supplier relationships — Part 1: Overview and concepts
• ISO 27036-2 Cybersecurity — Supplier relationships — Part 2: Requirements

SR-09 Tamper resistance and detection

Control

Implement a tamper protection program for the system, system component, or system service.

Discussion

Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use.

Related controls and activities

PE-03, PM-30, SA-15, SI-04, SI-07, SR-03, SR-04, SR-05, SR-10, SR-11.

Enhancements

• (01) Tamper resistance and detection: Multiple stages of system development lifecycle
  • Employ anti-tamper technologies, tools, and techniques throughout the system development lifecycle.
  • Discussion: The system development lifecycle includes research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal. Organizations should use a combination of hardware and software techniques for tamper resistance and detection. Organizations should use obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage.
  • Related controls and activities: SA-03.

References

ISO 20243-1 Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products

SR-10 Inspection of systems or components

Control

Inspect the following systems or system components [Selection (1 or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering: [Assignment: organization-defined systems or system components].

Discussion

The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

Related controls and activities

AT-03, PM-30, SI-04, SI-07, SR-03, SR-04, SR-05, SR-09, SR-11.

Enhancements

None.

References

ISO 20243-1 Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products

SR-11 Component authenticity

Control

1. Develop and implement anti-counterfeiting policy and procedures that include the means to detect and prevent counterfeit components from entering the system
2. Report counterfeit system components to [Selection (1 or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]

Discussion

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include the Cyber Centre.

Related controls and activities

PE-03, SA-04, SI-07, SR-09, SR-10.

Enhancements

• (01) Component authenticity: Anti-counterfeit training
  • Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware).
  • Discussion: None.
  • Related controls and activities: AT-03.
• (02) Component authenticity: Configuration control for component service and repair
  • Maintain configuration control over the following system components awaiting service or repair and over serviced or repaired components awaiting return to service: [Assignment: organization-defined system components].
  • Discussion: None.
  • Related controls and activities: CM-03, MA-02, MA-04, SA-10.
• (03) Component authenticity: Anti-counterfeit scanning
  • Scan for counterfeit system components [Assignment: organization-defined frequency].
  • Discussion: The type of component determines the type of scanning to be conducted (e.g., web application scanning if the component is a web application).
  • Related controls and activities: RA-05.

References

ISO 20243-1 Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products

SR-12 Component disposal

Control

Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods].

Discussion

Data, documentation, tools, or system components can be disposed of at any time during the system development lifecycle (not only in the disposal or retirement phase of the lifecycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and can include methods such as disk cleaning, removal of cryptographic keys, and partial reuse of components.

Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps prevent such components from entering the grey market.

Related controls and activities

MP-06.

Enhancements

None.

References

None.