SR-4(2)—Track And Trace
>Control Description
Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: ⚙organization-defined systems and critical system components.
>Cross-Framework Mappings
>Supplemental Guidance
Tracking the unique identification of systems and system components during development and transport activities provides a foundational identity structure for the establishment and maintenance of provenance. For example, system components may be labeled using serial numbers or tagged using radio-frequency identification tags. Labels and tags can help provide better visibility into the provenance of a system or system component.
A system or system component may have more than one unique identifier. Identification methods are sufficient to support a forensic investigation after a supply chain compromise or event.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What supply chain risk management policies address SR-4(2)?
- •Who is responsible for managing supply chain risks?
- •How do you assess and monitor risks from suppliers, vendors, and contractors?
Technical Implementation:
- •What processes ensure that supply chain components meet security requirements?
- •How do you verify the authenticity and integrity of acquired components?
- •What controls prevent counterfeit or malicious components from entering your supply chain?
- •How do you track and verify the provenance of system components?
Evidence & Documentation:
- •Can you provide supply chain risk assessments?
- •What documentation demonstrates supplier compliance with security requirements?
- •Where do you maintain records of supplier assessments and component provenance?
- •Can you show component inventory and validation records?
Ask AI
Configure your API key to use AI features.