>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SR-5(2)Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update

IL5
IL6

>Control Description

Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Organizational personnel or independent, external entities conduct assessments of systems, components, products, tools, and services to uncover evidence of tampering, unintentional and intentional vulnerabilities, or evidence of non-compliance with supply chain controls. These include malicious code, malicious processes, defective software, backdoors, and counterfeits. Assessments can include evaluations; design proposal reviews; visual or physical inspection; static and dynamic analyses; visual, x-ray, or magnetic particle inspections; simulations; white, gray, or black box testing; fuzz testing; stress testing; and penetration testing (see SR-6(1)).

Evidence generated during assessments is documented for follow-on actions by organizations. The evidence generated during the organizational or independent assessments of supply chain elements may be used to improve supply chain processes and inform the supply chain risk management process. The evidence can be leveraged in follow-on assessments.

Evidence and other documentation may be shared in accordance with organizational agreements.

>Related Controls

CA-8
RA-5
SA-11
SI-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-5(2)?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?
  • How do you track and verify the provenance of system components?
  • What anti-counterfeit measures are in place?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?
  • Can you show component inventory and validation records?

Ask AI

Configure your API key to use AI features.