Navigate

SA-19

SA-19: Component Authenticity

The organization:

SA-19a.: Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and

SA-19b.: Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].

Supplemental

Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT.

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-19.

Control	Description
PE-3	The organization: PE-3a.: Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; PE-3a.1.: Verifying individual access authorizations before granting access to the facility; and PE-3a.2.: Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; PE-3b.: Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; PE-3c.: Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; PE-3d.: Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; PE-3e.: Secures keys, combinations, and other physical access devices; PE-3f.: Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and PE-3g.: Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
SA-12	The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
SI-7	The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

Enhancements

The controls below (if any) add on to the requirements of SA-19.

Control	Description
SA-19 (1)	The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware).
SA-19 (2)	The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.
SA-19 (3)	The organization disposes of information system components using [Assignment: organization-defined techniques and methods].
SA-19 (4)	The organization scans for counterfeit information system components [Assignment: organization-defined frequency].

Related CCIs

The CCIs below are tied to SA-19.

CCI	Definition
CCI-003356	The organization develops an anti-counterfeit policy that includes the means to detect counterfeit components from entering the information system.
CCI-003357	The organization develops an anti-counterfeit policy that includes the means to prevent counterfeit components from entering the information system.
CCI-003358	The organization develops anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system.
CCI-003359	The organization develops anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system.
CCI-003360	The organization implements an anti-counterfeit policy that includes the means to detect counterfeit components from entering the information system.
CCI-003361	The organization implements an anti-counterfeit policy that includes the means to prevent counterfeit components from entering the information system.
CCI-003362	The organization implements anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system.
CCI-003363	The organization implements anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system.
CCI-003364	The organization reports counterfeit information system components to the source of the counterfeit component, organization-defined external reporting organizations, and/or organization-defined personnel or roles.
CCI-003365	The organization defines the external reporting organizations to which counterfeit information system components are to be reported.
CCI-003366	The organization defines the personnel or roles to whom counterfeit information system components are to be reported.