Back

Establish and maintain a register of approved third parties, technologies and tools.


CONTROL ID
06836
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Plan for acquiring facilities, technology, or services., CC ID: 06892

This Control has the following implementation support Control(s):
  • Install software that originates from approved third parties., CC ID: 12184


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The communications authority shall establish and maintain a register of cryptography providers. (§ 23(1), The Electronic Communications and Transactions Act, 2002)
  • The communications authority shall record the name and address of the cryptographic provider in the register. (§ 23(2)(a), The Electronic Communications and Transactions Act, 2002)
  • The communications authority shall record a description of the type of cryptographic product or cryptographic service that is being provided in the cryptography provider register. (§ 23(2)(b), The Electronic Communications and Transactions Act, 2002)
  • The communications authority shall record other items to identify and locate the cryptography provider, the cryptographic services, or the cryptographic products adequately. (§ 23(2)(c), The Electronic Communications and Transactions Act, 2002)
  • The accreditation authority shall maintain a publicly accessible database of accredited authentication products or authentication services. (§ 28(2)(a), The Electronic Communications and Transactions Act, 2002)
  • The accreditation authority shall maintain a publicly available database of recognized authentication products and authentication services. (§ 28(2)(b), The Electronic Communications and Transactions Act, 2002)
  • The accreditation authority shall maintain a publicly accessible database of revoked accreditations or recognitions. (§ 28(2)(c), The Electronic Communications and Transactions Act, 2002)
  • AIs should identify the locations of customer data residing in different parts of AIs' networks and systems and ensure that adequate logical access controls are in place at different levels (e.g. application level, database level, operating system level, network level) to prevent unauthorized access… (Annex C. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • laying down appropriate approval authorities for outsourcing arrangements consistent with its established strategy and risk appetite; (5.2.2 (c), Guidelines on Outsourcing)
  • Mobile carriers that are able to provide timely security updates for mobile devices are used. (Security Control: 1365; Revision: 1, Australian Government Information Security Manual, March 2021)
  • When using a software-based isolation mechanism to share a physical server's hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner. (Security Control: 1460; Revision: 2, Australian Government Information Security Manual, March 2021)
  • An approved supplier list is developed, implemented and maintained. (Control: ISM-1786; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Applications, ICT equipment and services are sourced from approved suppliers. (Control: ISM-1787; Revision: 1, Australian Government Information Security Manual, June 2023)
  • When using a software-based isolation mechanism to share a physical server's hardware, the isolation mechanism is from a vendor that has demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practic… (Control: ISM-1460; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Microsoft Office's list of trusted publishers is validated on an annual or more frequent basis. (Control: ISM-1676; Revision: 0, Australian Government Information Security Manual, June 2023)
  • All wireless devices are Wi-Fi Alliance certified. (Control: ISM-1314; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Evaluated peripheral switches are used when sharing peripherals between systems. (Control: ISM-0591; Revision: 8, Australian Government Information Security Manual, June 2023)
  • ICT equipment is chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products. (Control: ISM-1857; Revision: 0, Australian Government Information Security Manual, June 2023)
  • IPv6 capable network security appliances are used on IPv6 and dual-stack networks. (Control: ISM-1186; Revision: 4, Australian Government Information Security Manual, June 2023)
  • An approved supplier list is developed, implemented and maintained. (Control: ISM-1786; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Applications, ICT equipment and services are sourced from approved suppliers. (Control: ISM-1787; Revision: 1, Australian Government Information Security Manual, September 2023)
  • When using a software-based isolation mechanism to share a physical server's hardware, the isolation mechanism is from a vendor that has demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practic… (Control: ISM-1460; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Microsoft Office's list of trusted publishers is validated on an annual or more frequent basis. (Control: ISM-1676; Revision: 0, Australian Government Information Security Manual, September 2023)
  • All wireless devices are Wi-Fi Alliance certified. (Control: ISM-1314; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Evaluated peripheral switches are used when sharing peripherals between systems. (Control: ISM-0591; Revision: 8, Australian Government Information Security Manual, September 2023)
  • ICT equipment is chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products. (Control: ISM-1857; Revision: 0, Australian Government Information Security Manual, September 2023)
  • IPv6 capable network security appliances are used on IPv6 and dual-stack networks. (Control: ISM-1186; Revision: 4, Australian Government Information Security Manual, September 2023)
  • The organization should maintain an approved technology register for new technologies. (¶ 64, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should maintain a register of all approved software development tools and how they should be used. (Attach D ¶ 4, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • An APRA-regulated entity could find it useful to develop a technology authorisation process and maintain an 'approved technology register' to facilitate this. The authorisation process would typically assess the benefits of the new technology against the impact of an information security compromise,… (62., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • An APRA-regulated entity could find it useful to maintain a register of approved software development tools and associated usage. The regulated entity would typically enforce compliance with the register for the purposes of quality control, avoiding compromises of the production environment and redu… (Attachment D 3., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A regulated institution may find it useful to maintain a register of approved software development tools and associated usage. The institution would normally enforce compliance with the register for the purposes of quality control, avoiding compromises of the production environment and reducing the … (Attachment D ¶ 4, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • A regulated institution may find it useful to develop a technology authorisation process and maintain an approved technology register to facilitate this. The authorisation process would typically involve a risk assessment balancing the benefits of the new technology with the risk (including an allow… (¶ 64, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • If Option B: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications? (A8.5., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • A financial institution's processes for acquisition and development of ICT systems should also apply to ICT systems developed or managed by the business function's end users outside the ICT organisation (e.g. end user computing applications) using a risk-based approach. The financial institution sho… (3.6.2 74, Final Report EBA Guidelines on ICT and security risk management)
  • outsourcing to service providers that are authorised by a competent authority and those that are not; (4.7 43(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • A register of entities authorized to use electronic signatures should be maintained. (¶ 21.9 Bullet 3, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization shall have documented procedures maintaining a register of approved suppliers. (§ 4.2.2 ¶ 1.b, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Unauthorized external connections should be identified (e.g., for investigation or possible removal) by checking accounting records of bills paid to telecommunications suppliers and reconciling them against known connections. (CF.09.03.09c, The Standard of Good Practice for Information Security)
  • Relevant business managers should have access to an up-to-date register of cryptographic solutions. (CF.08.04.05c, The Standard of Good Practice for Information Security)
  • A register of approved cryptographic solutions should be maintained, which specifies the intended use of encryption within the organization. (CF.08.04.06a, The Standard of Good Practice for Information Security)
  • A register of approved cryptographic solutions should be maintained, which details the locations (including jurisdictions) where cryptographic solutions are applied. (CF.08.04.06b, The Standard of Good Practice for Information Security)
  • A register of approved cryptographic solutions should be maintained, which contains information relating to the licensing requirements for using cryptographic solutions. (CF.08.04.06c, The Standard of Good Practice for Information Security)
  • A register of approved cryptographic solutions should be maintained, which is made available to authorized external parties (e.g., regulatory authorities and law enforcement). (CF.08.04.06d, The Standard of Good Practice for Information Security)
  • Unauthorized external connections should be identified (e.g., for investigation or possible removal) by checking accounting records of bills paid to telecommunications suppliers and reconciling them against known connections. (CF.09.03.09c, The Standard of Good Practice for Information Security, 2013)
  • Relevant business managers should have access to an up-to-date register of cryptographic solutions. (CF.08.04.05c, The Standard of Good Practice for Information Security, 2013)
  • A register of approved cryptographic solutions should be maintained, which specifies the intended use of encryption within the organization. (CF.08.04.06a, The Standard of Good Practice for Information Security, 2013)
  • A register of approved cryptographic solutions should be maintained, which details the locations (including jurisdictions) where cryptographic solutions are applied. (CF.08.04.06b, The Standard of Good Practice for Information Security, 2013)
  • A register of approved cryptographic solutions should be maintained, which contains information relating to the licensing requirements for using cryptographic solutions. (CF.08.04.06c, The Standard of Good Practice for Information Security, 2013)
  • A register of approved cryptographic solutions should be maintained, which is made available to authorized external parties (e.g., regulatory authorities and law enforcement). (CF.08.04.06d, The Standard of Good Practice for Information Security, 2013)
  • Verify that only micro controllers that support disabling debugging interfaces (e.g. JTAG, SWD) are used. (C.26, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that only micro controllers that provide substantial protection from de-capping and side channel attacks are used. (C.27, Application Security Verification Standard 4.0.3, 4.0.3)
  • The company shall have a documented and communicated list of approved application stores that have been identified as acceptable for mobile devices accessing or storing company data and/or company systems. (MOS-02, Cloud Controls Matrix, v3.0)
  • Define, document, apply and evaluate a list of approved services, applications and sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data. (UEM-02, Cloud Controls Matrix, v4.0)
  • Establish and manage an updated inventory of third-party components used in development, often referred to as a "bill of materials," as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to i… (CIS Control 16: Safeguard 16.4 Establish and Manage an Inventory of Third-Party Software Components, CIS Controls, V8)
  • Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. (CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components, CIS Controls, V8)
  • The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. (SA-4(10) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • DoD Component mission partners in the .gov, .org, .com, .edu domains must only use CSPs or CSOs that have a DoD PA for the Information Impact Level that best matches the CNSSI 1253 categorization of the information to be processed/stored/transmitted by the CSP/CSO. If the information is public, then… (Section 5.13.1 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • A Non-CSP DoD Contractor might choose to integrate a third party CSO as a component of a contracted Non-CSO product or service (e.g., a weapons system or major application). Such contractors may only utilize third party CSPs or CSOs that have a DoD PA for the Information Impact Level that best match… (Section 5.13.3 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Non-CSP DoD contractors and DIB partners may wish to utilize Cloud Services in the fulfilment of their contract or for the protection/processing of DoD data they possess (i.e., CUI or Covered Defense Information (CDI)). Thus, for the protection of sensitive CUI/CDI, it is highly recommended that Non… (Section 5.13.2 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Identifies equipment owned and managed by third parties on the entity's behalf. (App A Objective 4:3a Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Use of only a trusted provider for third-party file exchange and storage solutions. (App A Objective 11:1e Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Equipment enrollment. (App A Tier 2 Objectives and Procedures N.7 Bullet 1 Sub-Bullet 5, Sub-Sub Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. (SA-4(10) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization protects against supply chain threats to the information system, system component, or information system service by employing [FedRAMP Assignment: organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedure… (SA-12 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. (SA-4(10) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. (SA-4(10) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • The device meets [FedRAMP Assignment: FIPS-validated or NSA-approved cryptography]. (IA-2(6) ¶ 1(b), FedRAMP Security Controls High Baseline, Version 5)
  • Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. (SA-4(10) ¶ 1, FedRAMP Security Controls Low Baseline, Version 5)
  • Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. (SA-4(10) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • The device meets [FedRAMP Assignment: FIPS-validated or NSA-approved cryptography]. (IA-2(6) ¶ 1(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. (SA-4(10) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. (SA-4(10) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. (SA-4(10) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology typ… (SA-4(7)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology typ… (SA-4(7)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization. (3.1.2e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. (SA-4(10) ¶ 1 Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. (SA-4(10) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. (SA-4(10) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Use of base layers from trusted sources only, frequent updates of base layers, and selection of base layers from minimalistic technologies like Alpine Linux and Windows Nano Server to reduce attack surface areas. (4.1.2 ¶ 1 (4), NIST SP 800-190, Application Container Security Guide)
  • Acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, opensource, and other third-party developers for use by the organization's software. (PW.4.1, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality (PW.4): Lower the costs of software development, expedite software development, and decrease the likelihood of introducing additional security vulnerabilities into the software by reusing software modules and se… (PW.4, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Standardize hardware, software, and peripherals. System recovery may be expedited if hardware, software, and peripherals are standardized throughout the client/server system. Recovery costs may be reduced because standard configurations may be designated and resources may be shared. Standardized com… (§ 5.2.1 ¶ 3 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Standardize hardware, software, and peripherals. System recovery is faster if hardware, software, and peripherals are standardized throughout the organization. Additionally, critical hardware components that need to be recovered immediately in the event of a disaster should be compatible with off-th… (§ 5.2.1 ¶ 1 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. (SA-4(10) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. (SA-4(10) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. (SA-4(10) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. (SA-4(10) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources]. (SI-14(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. (IA-2(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system implements multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. (IA-2(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classifi… (SA-4(6)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. (SA-4(6)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a … (SA-4(7)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classific… (SA-4(6)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. (SA-4(10) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. (SA-4(6)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology typ… (SA-4(7)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Obtain software and data employed during system component and service refreshes from the following trusted sources: [Assignment: organization-defined trusted sources]. (SI-14(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The device meets [Assignment: organization-defined strength of mechanism requirements]. (IA-2(6) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classific… (SA-4(6)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. (SA-4(10) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. (SA-4(6)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology typ… (SA-4(7)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Obtain software and data employed during system component and service refreshes from the following trusted sources: [Assignment: organization-defined trusted sources]. (SI-14(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The device meets [Assignment: organization-defined strength of mechanism requirements]. (IA-2(6) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a … (SA-4(7) ¶ 1(a), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)