1. Home
  2. Industrial Control Systems
  3. SA-19

SA-19: COMPONENT AUTHENTICITY

NOT SELECTED FOR INDUSTRIAL CONTROL SYSTEMS

The organization:

    • a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
    • b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].

SUPPLEMENTAL GUIDANCE

Sources of counterfeit components include, for example, manufacturers, developers, vendors, and contractors. Anti-counterfeiting policy and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include, for example, US-CERT.

CONTROL ENHANCEMENTS

SA-19 (1) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT TRAINING

The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware).

Supplemental Guidance: NONE

SA-19 (2) COMPONENT AUTHENTICITY | CONFIGURATION CONTROL FOR COMPONENT SERVICE/REPAIR

The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.

Supplemental Guidance: NONE

SA-19 (3) COMPONENT AUTHENTICITY | COMPONENT DISPOSAL

The organization disposes of information system components using [Assignment: organization-defined techniques and methods].

Supplemental Guidance:

Proper disposal of information system components helps to prevent such components from entering the gray market.

SA-19 (4) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT SCANNING

The organization scans for counterfeit information system components [Assignment: organization-defined frequency].

Supplemental Guidance: NONE

REFERENCES:

  • NIST Special Publication 800-82 | GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY