CCI-003223

The organization defines the supply chain elements, processes, and actors for the information system, system component, or information system service to establish and retain unique identification.

Implementation Guidance

The organization being inspected/assessed defines and documents the supply chain elements, processes, and actors for the information system, system component, or information system service to establish and retain unique identification. The elements, processes, and actors must be defined IAW DoDI 5200.44. The organization should consider employing: 1. Procedures for proposing, evaluating, and justifying relevant changes to system/component provenance for their impact on components, processes, systems, missions, and exposure to supply chain risks; 2. Procedures for allocating responsibilities for the creation, maintenance, and monitoring of provenance are documented; 3. Methods for tracking relevant purchasing, shipping, receiving, or transfer activities, including records of reviewer signatures for comparison; 4. Processes for transferring provenance responsibility for systems or components between organizations across physical and logical boundaries including any approvals required; 5. Procedures for tracking and documenting chain of custody of the system or component (Labeling (using serial numbers) and tagging (using radio-frequency identification [RFID] tags); and 6. Security reviews for evaluating and vetting key personnel employed by acquirers or suppliers in any capacity (full-time employee, part-time employee, consultant, contractor, subcontractor, vendor, agent, etc) DoD has determined the elements, processes, and actors are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented elements, processes, and actors to ensure the organization being inspected/assessed defines the supply chain elements, processes, and actors for the information system, system component, or information system service to establish and retain unique identification IAW DoDI 5200.44. DoD has determined the elements, processes, and actors are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for defining the supply chain elements, processes and actors for the information system, system components, or information system service to establish and retain unique identification.

The controls below (if any) were marked by NIST as being related to CCI-003223.