SA-12(14) — Identity and Traceability

Establish identity and traceability for critical components throughout the supply chain. You need to know where a component came from, who handled it, and where it ended up in your environment.

Example 1: Maintain a chain of custody record for critical hardware from purchase through deployment. Track the component from the manufacturer through shipping, receiving, storage, and installation. Include serial numbers, dates, and the names of personnel who handled the component at each stage.

Example 2: For software components, maintain an SBOM that traces each component to its source. Track the provenance of open-source libraries (which repository, which version, which maintainer) so that if a supply chain compromise is discovered, you can quickly determine if your systems are affected.