Does your organization have a formal process to assess the authenticity and security posture of critical technology products and services before acquisition and deployment?
Explanation
Pre-acquisition due diligence is what reviewers want to see, namely a formal process for assessing the authenticity and security posture of critical technology products before you acquire and deploy them. Such assessments should include verification of vendor credentials, security certifications, vulnerability testing results, and supply chain integrity to prevent the introduction of compromised or insecure components.
Evidence could include a documented vendor security assessment procedure, completed security questionnaires for recent technology acquisitions, records of security certification verification, or reports from third-party security assessments of products prior to purchase decisions.
Implementation Example
Assess the authenticity and cybersecurity of critical technology products and services prior to acquisition and use
ID: ID.RA-09.175
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- The authenticity and integrity of hardware and software are assessed prior to acquisition and use
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

