Does your organization have documented policies and procedures for verifying critical hardware upgrades against unauthorized changes before implementation?
Explanation
This control ensures that hardware upgrades are thoroughly inspected for potential tampering, unauthorized modifications, or supply chain compromises before being deployed in your environment. For example, firmware updates for network devices, server components, or security appliances should be verified for integrity and authenticity to prevent the introduction of backdoors or malicious code.
Evidence could include a formal hardware change management procedure document that specifically addresses verification steps for detecting unauthorized changes, such as digital signature verification processes, hash comparison records, or vendor verification checklists used during recent critical hardware upgrades.
Implementation Example
Policies and procedure require checking upgrades to critical hardware for unauthorized changes
ID: GV.SC-09.112
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

