National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

NIST Special Publication 800-53 (Rev. 4)

Security and Privacy Controls for Federal Information Systems and Organizations

SA-19 COMPONENT AUTHENTICITY

Family:
SA - SYSTEM AND SERVICES ACQUISITION
Class:
Priority:
P0 - Unspecified priority.
Baseline Allocation:
Low Moderate High
N/A N/A N/A

Control Description

The organization:

a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and

b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].

Supplemental Guidance

Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT.

Related to: PE-3SA-12SI-7

Control Enhancements

SA-19(1) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT TRAINING
The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware).
SA-19(2) COMPONENT AUTHENTICITY | CONFIGURATION CONTROL FOR COMPONENT SERVICE / REPAIR
The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.
SA-19(3) COMPONENT AUTHENTICITY | COMPONENT DISPOSAL
The organization disposes of information system components using [Assignment: organization-defined techniques and methods].
Supplemental Guidance: Proper disposal of information system components helps to prevent such components from entering the gray market.
SA-19(4) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT SCANNING
The organization scans for counterfeit information system components [Assignment: organization-defined frequency].

References

None.