home || catalog: SP800-53rev3 / class: Management / family: (SA) System and Services Acquisition ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA

SA-01
SA-02
SA-03
SA-04
SA-05
SA-06
SA-07
SA-08
SA-09
SA-10
SA-11
SA-12 *
SA-13
SA-14

SC
SI
MMMMM

  SA-12: Supply Chain Protection  

base control objective:
The organization protects against supply chain threats by employing: [Assignment: organization-defined list of measures to protect against supply chain threats] as part of a comprehensive, defense-in-breadth information security strategy.

supplemental objective information:
A defense-in-breadth approach helps to protect information systems (including the information technology products that compose those systems) throughout the SDLC (i.e., during design and development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). This is accomplished by the identification, management, and elimination of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to mitigate risk.

enhancements to the base objective:

(1) The organization employs anonymous acquisition processes.
Enhancement Supplemental Guidance: The organization can reduce the likelihood of targeted supply chain attacks during design, manufacture, and delivery by protecting the identity of the customer through the use of anonymous acquisition vehicles. An example of such a vehicle is using trusted individuals and/or organizations to support logistical or acquisition activities without revealing the true identity of the purchasing organization or the destination of the information system component or product. The organization can protect against an adversary targeting the manufacture or delivery of an information system component or product by encoding the purchasing organization’s identity until the component or product arrives at the final stage of transport, at which point it can be handled by a trusted individual and/or organization for final delivery to the purchasing organization.

(2) The organization purchases all anticipated information system components and spares in the initial acquisition.
Enhancement Supplemental Guidance: Stockpiling information system components and spares avoids the need to use less trustworthy secondary or resale markets in future years.

(3) The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system hardware, software, firmware, or services.
Enhancement Supplemental Guidance: The organization reviews supplier claims with regard to the use of appropriate security processes in the development and manufacture of information system components or products.

(4) The organization uses trusted shipping and warehousing for information systems, information system components, and information technology products.
Enhancement Supplemental Guidance: Trusted shipping and warehousing reduces opportunities for subversive activities or interception during transit. Examples of supporting techniques include the use of a geographically aware beacon to detect shipment diversions or delays.

(5) The organization employs a diverse set of suppliers for information systems, information system components, information technology products, and information system services.
Enhancement Supplemental Guidance: Diversification of suppliers is intended to limit the potential harm from a given supplier in a supply chain, increasing the work factor for an adversary.

(6) The organization employs standard configurations for information systems, information system components, and information technology products.
Enhancement Supplemental Guidance: By avoiding the purchase of custom configurations for information systems, information system components, and information technology products, the organization limits the possibility of acquiring systems and products that have been corrupted via the supply chain actions targeted at the organization.

(7) The organization minimizes the time between purchase decisions and delivery of information systems, information system components, and information technology products.
Enhancement Supplemental Guidance: By minimizing the time between purchase decisions and required delivery of information systems, information system components, and information technology products, the organization limits the opportunity for an adversary to corrupt the purchased system, component, or product.

(8) The organization employs independent analysis and penetration testing against delivered information systems, information system components, and information technology products.

mapping to FIPS199 baseline:

  LOW: null     MOD: null     HIGH: base  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for SA-12:

None.

Document Date Status Title

Search SP800-53rev3 catalog: