CCI-005136

Implementation Guidance

Determine if counterfeit system components are reported to [SR-11_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {source of counterfeit component; [SR-11_ODP[02]; external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected)]; [SR-11_ODP[03]; personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected)]}].

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; anti-counterfeit plan; anti-counterfeit policy and procedures; media disposal policy; media protection policy; incident response policy; reports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; inter-organizational agreements and procedures; records of reported counterfeit system components; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities; organizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting]. Test: [SELECT FROM: Organizational processes for counterfeit prevention, detection, and reporting; mechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting].