AuditRubric
id-ra-9 high Identify / Risk Assessment

The authenticity and integrity of hardware and software are assessed prior to acquisition and use

Compromised hardware and software can be introduced into your environment during the acquisition process itself. Counterfeit hardware, tampered firmware, and malicious packages in software supply chains are real attack vectors. Verifying authenticity and integrity before deployment catches these threats at the only point where you can stop them: before they are inside your perimeter.

Estimated effort: 4h
supply-chainsoftware-integritysbomacquisitiontamper-detection

Implementation steps

  1. 1

    Establish approved sources for hardware and software procurement

    Require hardware to be purchased through authorized channels and vendor-direct or authorized-reseller routes only. For software, define approved registries (official package managers with signature verification, official vendor download pages) and prohibit installation from unofficial or unverified sources. Make this a policy requirement, not just a recommendation.

    jamfmicrosoft-intunekandji
  2. 2

    Verify integrity of software packages before deployment

    For critical software, verify signatures and checksums against official sources before installation. In your CI/CD pipelines, pin dependencies to specific verified versions and use a software composition analysis tool to detect packages with known malicious code or unexpected changes. Automate these checks so they run for every build.

    snykgrypesigstoredependabotsemgrep
  3. 3

    Inspect hardware for signs of tampering on receipt

    For critical hardware (servers, network equipment, HSMs), inspect for tamper-evident seal integrity on receipt and verify hardware serial numbers against purchase records. For particularly sensitive deployments, consider BIOS/UEFI integrity verification before first use.

Evidence required

Approved procurement sources policy

A documented policy requiring hardware and software to be obtained from approved, verified sources.

  • · Procurement policy section on approved hardware vendors and software sources
  • · Approved software list for endpoint installation
  • · IT policy document prohibiting software installation from unverified sources

Software integrity verification records

Evidence that software integrity is verified before deployment, such as CI/CD pipeline configuration or SCA scan outputs.

  • · CI pipeline configuration showing dependency pinning and signature verification
  • · SCA scan results from Snyk, Grype, or equivalent tool
  • · Checksum verification log for software packages

Related controls

id-ra-10 high

Critical suppliers are assessed prior to acquisition

Risk Assessment
id-ra-1 critical

Vulnerabilities in assets are identified, validated, and recorded

Risk Assessment
id-ra-2 medium

Cyber threat intelligence is received from information sharing forums and sources

Risk Assessment
id-ra-3 high

Internal and external threats to the organization are identified and recorded

Risk Assessment