Does your organization maintain provenance records for all acquired technology products and services?
Explanation
Technology provenance records document the origin, chain of custody, and authenticity of technology products and services your organization acquires.
These records help verify that products come from legitimate sources, haven't been tampered with, and don't contain malicious components or vulnerabilities.Provenance records are particularly important for supply chain security, as they help identify potential risks from third-party vendors and protect against counterfeit or compromised products.
They also support compliance with regulations that require verification of technology sources.
Evidence could include a centralized provenance record system, supplier verification documentation, chain of custody records, digital signatures or certificates of authenticity, and procurement policies that explicitly require provenance documentation for all technology acquisitions.
Implementation Example
Policies and procedures require provenance records for all acquired technology products and services
ID: GV.SC-09.108
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

