NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-10(5) — Mapping Integrity for Version Control
Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Mapping integrity for version control addresses changes to hardware, software, and firmware components during both initial development and system development life cycle updates. Maintaining the integrity between the master copies of security-relevant hardware, software, and firmware (including designs, hardware drawings, source code) and the equivalent data in master copies in operational environments is essential to ensuring the availability of organizational systems that support critical mission and business functions.
Practitioner Notes
Mapping integrity for version control ensures that the relationship between source code versions and deployed artifacts is maintained and verifiable. You need to know exactly what code is running in production.
Example 1: Tag every release in your version control system with a unique version number. Record the exact commit hash, build number, and deployment date for every production deployment. At any point, you should be able to trace a running binary back to the exact source code that produced it.
Example 2: In your CI/CD pipeline, embed version metadata (Git commit hash, build timestamp, pipeline run ID) in the built artifact. This makes it possible to verify that a deployed application matches a specific source code version without needing to rebuild.