CCI-005128

Inspect the following systems or system components at random, at organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.

Implementation Guidance

Determine if [SR-10_ODP[01]; systems or system components that require inspection are defined] are inspected [SR-10_ODP[02]; one or more of the following PARAMETER VALUES is/are selected: {at random; at [SR-10_ODP[03]; frequency at which to inspect systems or system components is defined (if selected)]; upon [SR-10_ODP[04]; indications of the need for an inspection of systems or system components are defined (if selected)]}] to detect tampering.

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; records of random inspections; inspection reports/results; assessment reports/results; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; inter-organizational agreements and procedures; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities; organizational processes to inspect for tampering].

The controls below (if any) were marked by NIST as being related to CCI-005128.