NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT
SR-4(4) — Supply Chain Integrity — Pedigree
Employ {{ insert: param, sr-04.04_odp.01 }} and conduct {{ insert: param, sr-04.04_odp.02 }} to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Authoritative information regarding the internal composition of system components and the provenance of technology, products, and services provides a strong basis for trust. The validation of the internal composition and provenance of technologies, products, and services is referred to as the pedigree. For microelectronics, this includes material composition of components. For software this includes the composition of open-source and proprietary code, including the version of the component at a given point in time. Pedigrees increase the assurance that the claims suppliers assert about the internal composition and provenance of the products, services, and technologies they provide are valid. The validation of the internal composition and provenance can be achieved by various evidentiary artifacts or records that manufacturers and suppliers produce during the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of technology, products, and services. Evidentiary artifacts include, but are not limited to, software identification (SWID) tags, software component inventory, the manufacturers’ declarations of platform attributes (e.g., serial numbers, hardware component inventory), and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself.
Practitioner Notes
Maintain a complete pedigree — the documented history of a component from its origin through all handling, modification, and testing — for critical supply chain elements.
Example 1: For hardware used in classified or high-security environments, require vendors to provide a complete chain-of-custody document covering manufacture, assembly, testing, packaging, and shipping. Any gaps in the pedigree documentation should be investigated.
Example 2: For custom-developed software, maintain a complete development history in your version control system (Git). Every code change, code review, test result, and build artifact is traceable from requirements through deployment, creating a verifiable software pedigree.