>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SR-11Component Authenticity

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

b

Report counterfeit system components to [Selection (one or more): source of counterfeit component; organization-defined external reporting organizations; organization-defined personnel or roles].

>DoD Impact Level Requirements

Additional Requirements and Guidance

SR-11 Requirement: CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

>Discussion

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

>Programmatic Queries

Beta

Related Services

ECR
Signer
CodeArtifact

CLI Commands

Check ECR image scanning
aws ecr describe-image-scan-findings --repository-name REPO --image-id imageDigest=DIGEST
List Signer signing profiles
aws signer list-signing-profiles
Check CodeArtifact domains
aws codeartifact list-domains
Verify image signature
aws signer list-signing-jobs --status Succeeded
Open AWS ConsoleDocumentation

>Related Controls

PE-3
SA-4
SI-7
SR-9
SR-10

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-11?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?
  • How do you evaluate and select suppliers based on security criteria?
  • What security requirements are imposed on system developers?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?
  • How do you track and verify the provenance of system components?
  • What anti-counterfeit measures are in place?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?
  • Can you provide recent supplier security assessment reports?
  • Can you show component inventory and validation records?

Ask AI

Configure your API key to use AI features.