SA-18(2) — Inspection of Systems or Components

Physically or logically inspect systems and components for evidence of tampering. Periodic inspection catches issues that automated monitoring might miss.

Example 1: Conduct periodic physical inspections of critical hardware: check for unauthorized modifications, additional devices (keyloggers, rogue network taps), and broken tamper-evident seals. Document each inspection with the date, inspector name, and findings.

Example 2: For software, periodically compare deployed binaries against known-good versions from your build pipeline. Use file hash comparison to verify that what is running in production exactly matches what was approved through your change management process.