NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT

SR-10Inspection of Systems or Components

Inspect the following systems or system components organization-defined parameter to detect tampering: organization-defined parameter.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

Practitioner Notes

Inspect systems or components — physically or logically — to detect tampering, counterfeit components, or unauthorized modifications.

Example 1: When receiving new IT equipment, perform receiving inspections. Verify serial numbers match purchase orders, check for tamper-evident seal integrity, compare the firmware version against the vendor's published current version, and look for physical signs of modification.

Example 2: For software, conduct integrity verification before deployment. Compare file hashes against vendor-published values, verify code signatures, and scan for known malware. Do not deploy any software that fails integrity verification.

More Supply Chain Risk Management Controls

SR-1 Policy and Procedures SR-2 Supply Chain Risk Management Plan SR-2(1) Establish SCRM Team SR-3 Supply Chain Controls and Processes