CCI-000723

The organization protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy.

Implementation Guidance

The organization being inspected/assessed must identify and document in the Security Plan whether the system is a “covered system” IAW DoDI 5200.44. If it is a covered system, the organization must implement the requirements below: 1. Conduct a criticality analysis to identify mission critical functions and critical components and reduce the vulnerability of such functions and components through secure system design; 2. Request threat analysis of suppliers of critical components from the TSN focal point and manage access to and control of threat analysis products containing U.S. person information; 3. Engage TSN focal points for guidance on managing identified risk using DoD Components and Enterprise risk management resources; and 4. Apply TSN best practices, processes, techniques, and procurement tools prior to the acquisition of critical components or their integration into applicable systems, at any point in the system lifecycle. Such tools and practices include contract requirements and the SCRM key practices Guide.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the Security Plan for the system to determine whether the system is a “covered system” IAW DoDI 5200.44. If it is a covered system, the organization conducting the inspection/assessment obtains and examines documentation of compliance with DoDI 5200.44, to ensure the organization being inspected/assessed has: 1. Conducted a criticality analysis to identify mission critical functions and critical components and reduced the vulnerability of such functions and components through secure system design; 2. Requested threat analysis of suppliers of critical components from the TSN focal point and managed access to and control of threat analysis products containing U.S. person information; 3. Engaged TSN focal points for guidance on managing identified risk using DoD Components and Enterprise risk management resources; and 4. Applied TSN best practices, processes, techniques, and procurement tools prior to the acquisition of critical components or their integration into applicable systems, at any point in the system lifecycle. Such tools and practices include contract requirements and the SCRM key practices Guide.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan must show organization-defined protections against supply chain threats.

The controls below (if any) were marked by NIST as being related to CCI-000723.