CCI-003364

The organization reports counterfeit information system components to the source of the counterfeit component, organization-defined external reporting organizations, and/or organization-defined personnel or roles.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to report counterfeit information system components to source of counterfeit component, at a minimum, USCYBERCOM. And/or at a minimum, the ISSO, ISSM, and PM. The organization must maintain a record of reporting. DoD has defined the personnel or roles as at a minimum, the ISSO, ISSM, and PM. DoD has defined the external reporting organizations as at a minimum, USCYBERCOM.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of reporting to ensure the organization being inspected/assessed reports counterfeit information system components to source of counterfeit component, at a minimum, USCYBERCOM. And/or at a minimum, the ISSO, ISSM, and PM.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for reporting counterfeit information system components to source of counterfeit component, organization-defined external reporting organizations and/or organization-defined personnel or roles.

The controls below (if any) were marked by NIST as being related to CCI-003364.