Device Class 3: Supply Chain Protection

Control ID: SA-12 Supply Chain Protection Family: System and Services Acquisition Source: NIST 800-53r4
Control: The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
Supplemental Guidance:
Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e.,during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.
In the case of C-ITS, this control applies to device design and related information developed during the development phase of a device's life cycle

Related Controls: AT-3, CM-8, IR-4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-15, SA-18, SA-19, SC-38, SI-7, SA-14, SC-29, SC-30
Control Enhancements: N/A
References: N/A
Mechanisms:

  • No specific mechanisms are identified; however any supplier should document how devices are protected in all cases described under 'supplemental guidance' above.

Protocol Implementation Conformance Statements: N/A