CCI-005097

Implementation Guidance

Determine if: - valid provenance is documented for [SR-04_ODP; systems, system components, and associated data that require valid provenance are defined]. - valid provenance is monitored for [SR-04_ODP; systems, system components, and associated data that require valid provenance are defined]. - valid provenance is maintained for [SR-04_ODP; systems, system components, and associated data that require valid provenance are defined].

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; supply chain risk management plan; documentation of critical systems, critical system components, and associated data; documentation showing the history of ownership, custody, and location of and changes to critical systems or critical system components; system architecture; inter-organizational agreements and procedures; contracts; system security plan; privacy plan; personally identifiable information processing policy; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for identifying the provenance of critical systems and critical system components; mechanisms used to document, monitor, or maintain provenance].