SR-5(2)

  • Requirement

    Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

  • Discussion

    Organizational personnel or independent, external entities conduct assessments of systems, components, products, tools, and services to uncover evidence of tampering, unintentional and intentional vulnerabilities, or evidence of non-compliance with supply chain controls. These include malicious code, malicious processes, defective software, backdoors, and counterfeits. Assessments can include evaluations; design proposal reviews; visual or physical inspection; static and dynamic analyses; visual, x-ray, or magnetic particle inspections; simulations; white, gray, or black box testing; fuzz testing; stress testing; and penetration testing (see SR-6(1)). Evidence generated during assessments is documented for follow-on actions by organizations. The evidence generated during the organizational or independent assessments of supply chain elements may be used to improve supply chain processes and inform the supply chain risk management process. The evidence can be leveraged in follow-on assessments. Evidence and other documentation may be shared in accordance with organizational agreements.

More Info

  • Title

    Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update
  • Family

    Supply Chain Risk Management
  • NIST 800-53B Baseline(s)

    • Related NIST 800-53 ID

      CA-8;RA-5;SA-11;SI-7

    NIST 800-53A Assessment Guidance

    CMMC Training

    Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!