NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-10(6)Trusted Distribution

Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The trusted distribution of security-relevant hardware, software, and firmware updates help to ensure that the updates are correct representations of the master copies maintained by the developer and have not been tampered with during distribution.

Practitioner Notes

Trusted distribution ensures that software reaches the end user or deployment target without being tampered with during transit. The delivery channel must be as secure as the build process.

Example 1: Distribute software through secure, authenticated channels only. Use HTTPS for all downloads, digitally sign packages, and publish checksums on a separate channel so recipients can verify integrity. Never distribute software via unencrypted email or open file shares.

Example 2: Use private package repositories (Azure Artifacts, JFrog Artifactory, GitHub Packages) for internal software distribution. Configure the repository to only accept signed packages and to serve packages over HTTPS. Your deployment pipelines should pull artifacts exclusively from these trusted repositories.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment