NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT
SR-4(2) — Track and Trace
Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: {{ insert: param, sr-04.02_odp }}.
Supplemental Guidance
Tracking the unique identification of systems and system components during development and transport activities provides a foundational identity structure for the establishment and maintenance of provenance. For example, system components may be labeled using serial numbers or tagged using radio-frequency identification tags. Labels and tags can help provide better visibility into the provenance of a system or system component. A system or system component may have more than one unique identifier. Identification methods are sufficient to support a forensic investigation after a supply chain compromise or event.
Practitioner Notes
Track and trace system components throughout the supply chain — from manufacture to delivery to deployment — to detect tampering or diversion.
Example 1: Use serialized tracking for critical hardware components. Record serial numbers at procurement, verify them at receiving, and check them again during deployment. Any serial number mismatch between records indicates potential component swapping.
Example 2: For software, use verified download channels with integrity verification. Record the hash of every software package at download time, store it in your configuration management database, and verify it again before installation. Any change in the hash means the software was modified.