Organizational Control: Component Authenticity

Control ID: SA-19 Component Authenticity	Family: System and Services Acquisition	Source: NIST 800-53r4
Control: The organization: Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].
Supplemental Guidance: Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT. Related Controls: PE-3, SA-12, SI-7
Control Enhancements: (2) Component Authenticity \| Configuration Control For Component Service / Repair The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service. Supplemental Guidance: Related Controls: N/A (3) Component Authenticity \| Component Disposal The organization disposes of information system components using [Assignment: organization-defined techniques and methods]. Supplemental Guidance: Proper disposal of information system components helps to prevent such components from entering the gray market. Related Controls: N/A
References: N/A
Mechanisms:
Protocol Implementation Conformance Statements: N/A