NIST 800-53 SR-5 Mappings

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SR-5 Acquisition Strategies, Tools, and Methods Protects T1059.002 AppleScript
SR-5 Acquisition Strategies, Tools, and Methods Protects T1505 Server Software Component
SR-5 Acquisition Strategies, Tools, and Methods Protects T1505.001 SQL Stored Procedures
SR-5 Acquisition Strategies, Tools, and Methods Protects T1505.002 Transport Agent
SR-5 Acquisition Strategies, Tools, and Methods Protects T1546.006 LC_LOAD_DYLIB Addition
SR-5 Acquisition Strategies, Tools, and Methods Protects T1554 Compromise Client Software Binary
SR-5 Acquisition Strategies, Tools, and Methods Protects T1601 Modify System Image
SR-5 Acquisition Strategies, Tools, and Methods Protects T1601.001 Patch System Image
SR-5 Acquisition Strategies, Tools, and Methods Protects T1601.002 Downgrade System Image