Navigate

SR-11

SR-11: Component Authenticity

a: Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

b: Report counterfeit system components to [one or more of "source of counterfeit component"/"{{ insert: param, sr-11_odp.02 }} "/"{{ insert: param, sr-11_odp.03 }} "].

Supplemental

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SR-11.

Control	Description
PE-3	a: Enforce physical access authorizations at [entry and exit points to the facility in which the system resides are defined;] by: 1: Verifying individual access authorizations before granting access to the facility; and 2: Controlling ingress and egress to the facility using [one or more of "{{ insert: param, pe-03_odp.03 }} "/"guards"]; b: Maintain physical access audit logs for [entry or exit points for which physical access logs are maintained are defined;]; c: Control access to areas within the facility designated as publicly accessible by implementing the following controls: [physical access controls to control access to areas within the facility designated as publicly accessible are defined;]; d: Escort visitors and control visitor activity [circumstances requiring visitor escorts and control of visitor activity are defined;]; e: Secure keys, combinations, and other physical access devices; f: Inventory [physical access devices to be inventoried are defined;] every [frequency at which to inventory physical access devices is defined;] ; and g: Change combinations and keys [one of ] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
SA-4	Include the following requirements, descriptions, and criteria, explicitly or by reference, using [one or more of "standardized contract language"/"{{ insert: param, sa-04_odp.02 }} "] in the acquisition contract for the system, system component, or system service: a: Security and privacy functional requirements; b: Strength of mechanism requirements; c: Security and privacy assurance requirements; d: Controls needed to satisfy the security and privacy requirements. e: Security and privacy documentation requirements; f: Requirements for protecting security and privacy documentation; g: Description of the system development environment and environment in which the system is intended to operate; h: Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and i: Acceptance criteria.
SI-7	a: Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [one of ] ; and b: Take the following actions when unauthorized changes to the software, firmware, and information are detected: [one of ].
SR-9	Implement a tamper protection program for the system, system component, or system service.
SR-10	Inspect the following systems or system components [one or more of "at random"/"at {{ insert: param, sr-10_odp.03 }} "/"upon {{ insert: param, sr-10_odp.04 }} "] to detect tampering: [systems or system components that require inspection are defined;].

Enhancements

The controls below (if any) add on to the requirements of SR-11.

Control	Description
SR-11(1)	Train [personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;] to detect counterfeit system components (including hardware, software, and firmware).
SR-11(2)	Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [system components requiring configuration control are defined;].
SR-11(3)	Scan for counterfeit system components [the frequency at which to scan for counterfeit system components is defined;].

Related CCIs

The CCIs below are tied to SR-11.

CCI	Definition
CCI-005132	Develop and document anti-counterfeit policy that include the means to detect and prevent counterfeit components from entering the system.
CCI-005133	Develop and document anti-counterfeit procedures that include the means to detect and prevent counterfeit components from entering the system.
CCI-005134	Report counterfeit system components to source of counterfeit component, organization-defined external reporting organizations, and/or organization-defined personnel or roles.
CCI-005135	Defines the external reporting organizations who report counterfeit system components.
CCI-005136	Defines the personnel or roles who report counterfeit system components.