NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT
SR-4 — Provenance
Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: {{ insert: param, sr-04_odp }}.
Supplemental Guidance
Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations consider developing procedures (see [SR-1](#sr-1) ) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. Provenance considerations are addressed throughout the system development life cycle and incorporated into contracts and other arrangements, as appropriate.
Practitioner Notes
Track the provenance (origin, history, and chain of custody) of system components — know where your hardware and software came from and who handled it along the way.
Example 1: Maintain a detailed inventory of all hardware components including manufacturer, model, serial number, date of purchase, reseller, and shipping carrier. If a hardware tampering concern arises, you can trace the complete chain of custody.
Example 2: For software, maintain a Software Bill of Materials (SBOM) for all applications. The SBOM lists every component, library, and module in the software, its version, and its source. Use tools like OWASP Dependency-Check or Syft to generate SBOMs automatically.