Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations consider developing procedures (see SR-01) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. Provenance considerations are addressed throughout the system development life cycle and incorporated into contracts and other arrangements, as appropriate.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| SR-4 | Provenance | Protects | T1059.002 | AppleScript |
| SR-4 | Provenance | Protects | T1204.003 | Malicious Image |
| SR-4 | Provenance | Protects | T1505 | Server Software Component |
| SR-4 | Provenance | Protects | T1505.001 | SQL Stored Procedures |
| SR-4 | Provenance | Protects | T1505.002 | Transport Agent |
| SR-4 | Provenance | Protects | T1546.006 | LC_LOAD_DYLIB Addition |
| SR-4 | Provenance | Protects | T1554 | Compromise Client Software Binary |
| SR-4 | Provenance | Protects | T1601 | Modify System Image |
| SR-4 | Provenance | Protects | T1601.001 | Patch System Image |
| SR-4 | Provenance | Protects | T1601.002 | Downgrade System Image |