THRD-05

Do you have a process and implemented procedures for managing your hardware supply chain (e.g., telecommunications equipment, export licensing, computing devices)?

Explanation

This question is asking whether your organization has established processes and procedures for managing the security and compliance aspects of your hardware supply chain. The hardware supply chain includes all the vendors, manufacturers, and distributors involved in providing the physical computing equipment your organization uses. Why it's being asked: 1. Supply chain attacks have become increasingly common, where attackers compromise hardware during manufacturing or distribution before it reaches customers. 2. Hardware from certain countries or vendors may be subject to export controls or restrictions due to national security concerns. 3. Compromised hardware can create persistent security vulnerabilities that are difficult to detect and remediate. 4. Regulatory requirements (like NIST 800-53, CMMC, or regional regulations) often mandate supply chain risk management. The question specifically asks about: - Having a documented process (written policies) - Implemented procedures (actual actions taken) - Managing telecommunications equipment (networking hardware, etc.) - Export licensing compliance (ensuring hardware isn't illegally exported/imported) - Computing device procurement and verification To best answer this question: 1. Describe your formal hardware supply chain management program 2. Explain how you vet and monitor hardware vendors 3. Detail your procedures for verifying hardware integrity upon receipt 4. Mention any compliance with relevant regulations (NDAA Section 889, EU regulations, etc.) 5. Describe how you track hardware throughout its lifecycle 6. Explain how you handle hardware disposal securely

Guidance

Make sure you address any national or regional regulations.

Example Responses

Example Response 1

Yes, we have a comprehensive Hardware Supply Chain Management Program that governs the procurement, verification, and lifecycle management of all hardware assets Our program includes: 1 Vendor Risk Assessment: All hardware vendors undergo security and compliance assessments before approval, including verification they aren't on restricted entity lists (like the US Entity List). 2 Procurement Controls: Hardware purchases must go through approved channels with appropriate documentation and approvals. 3 Receipt Verification: All hardware undergoes inspection upon receipt to verify authenticity and detect tampering, including verification of serial numbers against manufacturer records. 4 Export Compliance: We maintain an Export Compliance Program that ensures all hardware purchases and transfers comply with US export regulations (EAR/ITAR) and regional requirements like EU dual-use regulations. 5 Telecommunications Equipment: We comply with NDAA Section 889 restrictions on certain telecommunications equipment manufacturers and maintain an approved vendor list. 6 Asset Management: All hardware is tracked in our asset management system from procurement through disposal. 7 Secure Disposal: Hardware disposal follows NIST 800-88 guidelines for media sanitization. Our program is reviewed annually and updated to reflect changing regulations and threat landscapes.

Example Response 2

Yes, our organization implements a Hardware Supply Chain Risk Management (SCRM) framework based on NIST SP 800-161 Our procedures include: 1 Trusted Supplier Program: We maintain a list of authorized hardware suppliers who have passed our security assessment process This includes verification of their manufacturing security practices and compliance with relevant regulations. 2 Hardware Verification: Upon delivery, our IT security team performs integrity checks on all critical infrastructure components, including firmware verification and hardware inspection for signs of tampering. 3 Regional Compliance: We maintain compliance with EU CE marking requirements, UK UKCA requirements, and follow RoHS and WEEE directives for hardware procurement and disposal. 4 Telecommunications Equipment: We follow a strict policy prohibiting the use of equipment from manufacturers identified as security risks by relevant authorities (e.g., certain Chinese manufacturers as identified in US NDAA Section 889). 5 Secure Configuration: All hardware is configured according to security baselines before deployment. 6 Continuous Monitoring: We subscribe to vendor security bulletins and vulnerability notifications for all deployed hardware. 7 Documentation: All hardware procurement, verification, and disposal activities are documented in our GRC platform for audit purposes.

Example Response 3

No, we do not currently have a formal process for managing our hardware supply chain Our procurement department handles hardware purchases based primarily on cost and availability factors, without specific security verification procedures We rely on the reputation of major vendors and distributors but don't conduct formal security assessments of our hardware suppliers. We recognize this as a gap in our security program and are working to develop a more structured approach We're currently drafting a Hardware Supply Chain Management Policy that will address vendor security assessments, hardware verification upon receipt, and compliance with relevant regulations including export controls We expect to implement this policy within the next 6 months, including training for relevant personnel and establishing verification procedures for new hardware acquisitions. In the interim, we've implemented basic controls such as purchasing only from authorized resellers and maintaining hardware inventories, but we acknowledge the need for a more comprehensive approach to hardware supply chain security.

Context

Tab: Organization
Category: Assessment of Third Parties