SA-12(13) — Critical Information System Components

Identify and apply enhanced protections to critical information system components — the parts of your infrastructure that, if compromised, would have the most severe impact on your mission.

Example 1: Identify your critical components (domain controllers, certificate authorities, key management servers, core network switches) and apply enhanced supply chain protections: buy only from authorized resellers, verify authenticity before deployment, and monitor them more closely during operation.

Example 2: Maintain a critical components registry that lists each critical component, its vendor, supply chain risk rating, and the enhanced protections applied. Review this registry semiannually and update it when your infrastructure changes or new threats emerge.