Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-12(14)

supply chain protection  | identity and traceability

assessment objective:

Determine if the organization:

sa-12(14)[1]

defines the following for the establishment and retention of unique identification:

sa-12(14)[1][a]

supply chain elements;

sa-12(14)[1][b]

supply chain processes;

sa-12(14)[1][c]

supply chain actors; and

sa-12(14)[2]

establishes and retains unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; list of supply chain elements, processes, and actors (associated with the information system, system component, or information system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques and/or configurations; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities; organizational personnel with responsibilities for establishing and retaining unique identification of supply chain elements, processes, and actors].

Test: [select from: Organizational processes for defining, establishing, and retaining unique identification for supply chain elements, processes, and actors; automated mechanisms supporting and/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors].