SR - Supply Chain Risk Management

Controls Count: 12
Controls IDs: SR-1, SR-2, SR-2 (1), SR-3, SR-5, SR-6, SR-8, SR-10, SR-11, SR-11 (1), SR-11 (2), SR-12

Controls

SR-1: Policy and Procedures

Develop, document, and disseminate to organization-defined personnel or roles:

organization-level, mission/business process-level, and/or system-level supply chain risk management policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

Designate an an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined; to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

Review and update the current supply chain risk management:

Policy the frequency at which the current supply chain risk management policy is reviewed and updated is defined; and following events that require the current supply chain risk management policy to be reviewed and updated are defined; ; and

Procedures the frequency at which the current supply chain risk management procedure is reviewed and updated is defined; and following events that require the supply chain risk management procedures to be reviewed and updated are defined;.

Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

a supply chain risk management policy is developed and documented;

the supply chain risk management policy is disseminated to personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;;

supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;

the supply chain risk management procedures are disseminated to personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;.

the organization-level, mission/business process-level, and/or system-level supply chain risk management policy addresses purpose;

the organization-level, mission/business process-level, and/or system-level supply chain risk management policy addresses scope;

organization-level, mission/business process-level, and/or system-level supply chain risk management policy addresses roles;

the organization-level, mission/business process-level, and/or system-level supply chain risk management policy addresses responsibilities;

the organization-level, mission/business process-level, and/or system-level supply chain risk management policy addresses management commitment;

the organization-level, mission/business process-level, and/or system-level supply chain risk management policy addresses coordination among organizational entities;

the organization-level, mission/business process-level, and/or system-level supply chain risk management policy addresses compliance.

the organization-level, mission/business process-level, and/or system-level supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

the an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;

the current supply chain risk management policy is reviewed and updated the frequency at which the current supply chain risk management policy is reviewed and updated is defined;;

the current supply chain risk management policy is reviewed and updated following events that require the current supply chain risk management policy to be reviewed and updated are defined;;

the current supply chain risk management procedures are reviewed and updated the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;;

the current supply chain risk management procedures are reviewed and updated following events that require the supply chain risk management procedures to be reviewed and updated are defined;.

Supply chain risk management policy

supply chain risk management procedures

system security plan

privacy plan

other relevant documents or records

Organizational personnel with supply chain risk management responsibilities

organizational personnel with information security and privacy responsibilities

organizational personnel with acquisition responsibilities

organizational personnel with enterprise risk management responsibilities

SR-2: Supply Chain Risk Management Plan

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: systems, system components, or system services for which a supply chain risk management plan is developed are defined;;

Review and update the supply chain risk management plan the frequency at which to review and update the supply chain risk management plan is defined; or as required, to address threat, organizational or environmental changes; and

Protect the supply chain risk management plan from unauthorized disclosure and modification.

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.

Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

a plan for managing supply chain risks is developed;

the supply chain risk management plan addresses risks associated with the research and development of systems, system components, or system services for which a supply chain risk management plan is developed are defined;;

the supply chain risk management plan addresses risks associated with the design of systems, system components, or system services for which a supply chain risk management plan is developed are defined;;

the supply chain risk management plan addresses risks associated with the manufacturing of systems, system components, or system services for which a supply chain risk management plan is developed are defined;;

the supply chain risk management plan addresses risks associated with the acquisition of systems, system components, or system services for which a supply chain risk management plan is developed are defined;;

the supply chain risk management plan addresses risks associated with the delivery of systems, system components, or system services for which a supply chain risk management plan is developed are defined;;

the supply chain risk management plan addresses risks associated with the integration of systems, system components, or system services for which a supply chain risk management plan is developed are defined;;

the supply chain risk management plan addresses risks associated with the operation and maintenance of systems, system components, or system services for which a supply chain risk management plan is developed are defined;;

the supply chain risk management plan addresses risks associated with the disposal of systems, system components, or system services for which a supply chain risk management plan is developed are defined;;

the supply chain risk management plan is reviewed and updated the frequency at which to review and update the supply chain risk management plan is defined; or as required to address threat, organizational, or environmental changes;

the supply chain risk management plan is protected from unauthorized disclosure;

the supply chain risk management plan is protected from unauthorized modification.

Supply chain risk management policy

supply chain risk management procedures

supply chain risk management plan

system and services acquisition policy

system and services acquisition procedures

procedures addressing supply chain protection

procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification

system development life cycle procedures

procedures addressing the integration of information security and privacy requirements into the acquisition process

acquisition documentation

service level agreements

acquisition contracts for the system, system component, or system service

list of supply chain threats

list of safeguards to be taken against supply chain threats

system life cycle documentation

inter-organizational agreements and procedures

system security plan

privacy plan

privacy program plan

other relevant documents or records

Organizational personnel with acquisition responsibilities

organizational personnel with information security and privacy responsibilities

organizational personnel with supply chain risk management responsibilities

Organizational processes for defining and documenting the system development life cycle (SDLC)

organizational processes for identifying SDLC roles and responsibilities

organizational processes for integrating supply chain risk management into the SDLC

mechanisms supporting and/or implementing the SDLC

SR-2 (1): Establish SCRM Team

Establish a supply chain risk management team consisting of the personnel, roles, and responsibilities of the supply chain risk management team are defined; to lead and support the following SCRM activities: supply chain risk management activities are defined;.

To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.

a supply chain risk management team consisting of the personnel, roles, and responsibilities of the supply chain risk management team are defined; is established to lead and support supply chain risk management activities are defined;.

Supply chain risk management policy

supply chain risk management procedures

supply chain risk management team charter documentation

supply chain risk management strategy

supply chain risk management implementation plan

procedures addressing supply chain protection

system security plan

privacy plan

other relevant documents or records

Organizational personnel with acquisition responsibilities

organizational personnel with information security and privacy responsibilities

organizational personnel with supply chain risk management responsibilities

organizational personnel with enterprise risk management responsibilities

legal counsel

organizational personnel with business continuity responsibilities

SR-3: Supply Chain Controls and Processes

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined; in coordination with supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;;

Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined; ; and

Document the selected and implemented supply chain processes and controls in security and privacy plans, supply chain risk management plan, and/or the document identifying the selected and implemented supply chain processes and controls is defined (if selected);.

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;;

the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined; is/are coordinated with supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;;

supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined; are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;

the selected and implemented supply chain processes and controls are documented in security and privacy plans, supply chain risk management plan, and/or the document identifying the selected and implemented supply chain processes and controls is defined (if selected);.

Supply chain risk management policy

supply chain risk management procedures

supply chain risk management strategy

supply chain risk management plan

systems and critical system components inventory documentation

system and services acquisition policy

system and services acquisition procedures

procedures addressing the integration of information security and privacy requirements into the acquisition process

solicitation documentation

acquisition documentation (including purchase orders)

service level agreements

acquisition contracts for systems or services

risk register documentation

system security plan

privacy plan

other relevant documents or records

Organizational personnel with acquisition responsibilities

organizational personnel with information security and privacy responsibilities

organizational personnel with supply chain risk management responsibilities

Organizational processes for identifying and addressing supply chain element and process deficiencies

SR-5: Acquisition Strategies, Tools, and Methods

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;.

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined; are employed to protect against supply chain risks;

acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined; are employed to identify supply chain risks;

acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined; are employed to mitigate supply chain risks.

Supply chain risk management policy

supply chain risk management procedures

supply chain risk management plan

system and services acquisition policy

system and services acquisition procedures

procedures addressing supply chain protection

procedures addressing the integration of information security and privacy requirements into the acquisition process

solicitation documentation

acquisition documentation (including purchase orders)

service level agreements

acquisition contracts for systems, system components, or services

documentation of training, education, and awareness programs for personnel regarding supply chain risk

system security plan

privacy plan

other relevant documents or records

Organizational personnel with acquisition responsibilities

organizational personnel with information security and privacy responsibilities

organizational personnel with supply chain risk management responsibilities

Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods

mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods

SR-6: Supplier Assessments and Reviews

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;.

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;.

Supply chain risk management policy and procedures

supply chain risk management strategy

supply chain risk management plan

system and services acquisition policy

procedures addressing supply chain protection

procedures addressing the integration of information security requirements into the acquisition process

records of supplier due diligence reviews

system security plan

other relevant documents or records

Organizational personnel with system and services acquisition responsibilities

organizational personnel with information security responsibilities

organizational personnel with supply chain protection responsibilities

Organizational processes for conducting supplier reviews

mechanisms supporting and/or implementing supplier reviews

SR-8: Notification Agreements

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the notification of supply chain compromisesand/or information for which agreements and procedures are to be established are defined (if selected);.

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for notification of supply chain compromisesand/or information for which agreements and procedures are to be established are defined (if selected);.

Supply chain risk management policy and procedures

supply chain risk management plan

system and services acquisition policy

procedures addressing supply chain protection

acquisition documentation

service level agreements

acquisition contracts for the system, system component, or system service

inter-organizational agreements and procedures

system security plan

other relevant documents or records

Organizational personnel with system and service acquisition responsibilities

organizational personnel with information security responsibilities

organizational personnel with supply chain risk management responsibilities

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

SR-10: Inspection of Systems or Components

Inspect the following systems or system components at random, at frequency at which to inspect systems or system components is defined (if selected); , and/or upon indications of the need for an inspection of systems or system components are defined (if selected); to detect tampering: systems or system components that require inspection are defined;.

The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

systems or system components that require inspection are defined; are inspected at random, at frequency at which to inspect systems or system components is defined (if selected); , and/or upon indications of the need for an inspection of systems or system components are defined (if selected); to detect tampering.

Supply chain risk management policy and procedures

supply chain risk management plan

system and services acquisition policy

records of random inspections

inspection reports/results

assessment reports/results

acquisition documentation

service level agreements

acquisition contracts for the system, system component, or system service

inter-organizational agreements and procedures

system security plan

other relevant documents or records

Organizational personnel with system and services acquisition responsibilities

organizational personnel with information security responsibilities

organizational personnel with supply chain risk management responsibilities

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

organizational processes to inspect for tampering

SR-11: Component Authenticity

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

Report counterfeit system components to source of counterfeit component, external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected); , and/or personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);.

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

an anti-counterfeit policy is developed and implemented;

anti-counterfeit procedures are developed and implemented;

the anti-counterfeit procedures include the means to detect counterfeit components entering the system;

the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;

counterfeit system components are reported to source of counterfeit component, external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected); , and/or personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);.

Supply chain risk management policy and procedures

supply chain risk management plan

system and services acquisition policy

anti-counterfeit plan

anti-counterfeit policy and procedures

media disposal policy

media protection policy

incident response policy

reports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components

acquisition documentation

service level agreements

acquisition contracts for the system, system component, or system service

inter-organizational agreements and procedures

records of reported counterfeit system components

system security plan

other relevant documents or records

Organizational personnel with system and service acquisition responsibilities

organizational personnel with information security responsibilities

organizational personnel with supply chain risk management responsibilities

organizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting

Organizational processes for counterfeit prevention, detection, and reporting

mechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting

SR-11 (1): Anti-counterfeit Training

Train personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined; to detect counterfeit system components (including hardware, software, and firmware).

None.

personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined; are trained to detect counterfeit system components (including hardware, software, and firmware).

Supply chain risk management policy and procedures

supply chain risk management plan

system and services acquisition policy

anti-counterfeit plan

anti-counterfeit policy and procedures

media disposal policy

media protection policy

incident response policy

training materials addressing counterfeit system components

training records on the detection and prevention of counterfeit components entering the system

system security plan

other relevant documents or records

Organizational personnel with information security responsibilities

organizational personnel with supply chain risk management responsibilities

organizational personnel with responsibilities for anti-counterfeit policies, procedures, and training

Organizational processes for anti-counterfeit training

SR-11 (2): Configuration Control for Component Service and Repair

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: system components requiring configuration control are defined;.

None.

configuration control over system components requiring configuration control are defined; awaiting service or repair is maintained;

configuration control over serviced or repaired system components requiring configuration control are defined; awaiting return to service is maintained.

Supply chain risk management policy and procedures

supply chain risk management plan

configuration control procedures

acquisition documentation

service level agreements

acquisition contracts for the system component

inter-organizational agreements and procedures

system security plan

other relevant documents or records

Organizational personnel with system and services acquisition responsibilities

organizational personnel with information security responsibilities

organizational personnel with supply chain risk management responsibilities

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

organizational configuration control processes

SR-12: Component Disposal

Dispose of data, documentation, tools, or system components to be disposed of are defined; using the following techniques and methods: techniques and methods for disposing of data, documentation, tools, or system components are defined;.

Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.

data, documentation, tools, or system components to be disposed of are defined; are disposed of using techniques and methods for disposing of data, documentation, tools, or system components are defined;.

Supply chain risk management policy and procedures

supply chain risk management plan

disposal procedures addressing supply chain protection

media disposal policy

media protection policy

disposal records for system components

documentation of the system components identified for disposal

documentation of the disposal techniques and methods employed for system components

system security plan

other relevant documents or records

Organizational personnel with system component disposal responsibilities

organizational personnel with information security responsibilities

organizational personnel with supply chain protection responsibilities

Organizational techniques and methods for system component disposal

mechanisms supporting and/or implementing system component disposal