Does your organization have a formal process to verify the authenticity, integrity, and security of critical products before acquisition and deployment?
Explanation
Pre-acquisition assurance is the subject: this item asks whether you have a formal process to verify the authenticity, integrity, and security of critical products before you deploy them.
This includes verifying the legitimacy of the vendor, checking for tampering during delivery, and evaluating security vulnerabilities or weaknesses in the products themselves.
These checks help prevent supply chain attacks, counterfeit products, and the introduction of compromised software or hardware into your systems.
Evidence could include a documented product security assessment procedure, vendor verification checklists, digital signature verification processes, or reports from security testing performed on critical products before deployment.
Implementation Example
Assess the authenticity, integrity, and security of critical products prior to acquisition and use
ID: GV.SC-06.097
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

