GV.SC-09.108
Does your organization maintain provenance records for all acquired technology products and services?
Explanation
Technology provenance records document the origin, chain of custody, and authenticity of technology products and services your organization acquires. These records help verify that products come from legitimate sources, haven't been tampered with, and don't contain malicious components or vulnerabilities.Provenance records are particularly important for supply chain security, as they help identify potential risks from third-party vendors and protect against counterfeit or compromised products. They also support compliance with regulations that require verification of technology sources. Evidence could include a centralized provenance record system, supplier verification documentation, chain of custody records, digital signatures or certificates of authenticity, and procurement policies that explicitly require provenance documentation for all technology acquisitions.
Implementation Example
Policies and procedures require provenance records for all acquired technology products and services
ID: GV.SC-09.108
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
