NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT

SR-9(1)Multiple Stages of System Development Life Cycle

Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The system development life cycle includes research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal. Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations use obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage.

Practitioner Notes

Apply tamper protection at multiple stages of the system development lifecycle — not just at delivery, but during development, testing, and deployment.

Example 1: Use code signing throughout your development pipeline. Sign code at build time, verify signatures at testing, and re-verify at deployment. If signatures do not match at any stage, the code may have been tampered with between stages.

Example 2: For hardware development, apply tamper-evident controls during manufacturing, shipping, receiving, and installation. At each handoff point, verify the integrity of previous tamper controls and apply new ones. Document each verification in the component's pedigree record.

More Supply Chain Risk Management Controls

SR-1 Policy and Procedures SR-2 Supply Chain Risk Management Plan SR-2(1) Establish SCRM Team SR-3 Supply Chain Controls and Processes