Skip to main content

AST-17: Prohibited Equipment & Services

AST 9 — Critical Protect

Mechanisms exist to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain Technology Assets, Applications and/or Services (TAAS) that are designated as supply chain threats by a statutory or regulatory body.

Control Question: Does the organization govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain Technology Assets, Applications and/or Services (TAAS) that are designated as supply chain threats by a statutory or regulatory body?

General (5)
Framework Mapping Values
CSA CCM 4 UEM-14
NIST 800-171 R3 (source) 03.11.01.a 03.16.01
SCF CORE ESP Level 1 Foundational AST-17
SCF CORE ESP Level 2 Critical Infrastructure AST-17
SCF CORE ESP Level 3 Advanced Threats AST-17
US (3)
Framework Mapping Values
US DFARS Cybersecurity 252.204-70xx 252.204-7018(b)
US FAR 52.204-25 (NDAA Section 889) 889(a)(1)(A) 889(a)(1)(B)
US FAR 52.204-27 52.204-27(b)
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.11.01.A 03.16.01

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/ or equipment that are designated as supply chain threats by a statutory or regulatory body.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/ or equipment that are designated as supply chain threats by a statutory or regulatory body.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/ or equipment that are designated as supply chain threats by a statutory or regulatory body.

Level 3 — Well Defined

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
  • An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
  • Technology assets and data are categorized according to data classification and business criticality criteria.
  • A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
  • Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
  • An IT infrastructure team, or similar function, enforces sanctions that require the removal and prohibition of certain technology services and/ or equipment that are designated as supply chain threats by a statutory or regulatory body (e.g., removes prohibited assets and/ or services).
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/ or equipment that are designated as supply chain threats by a statutory or regulatory body.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/ or equipment that are designated as supply chain threats by a statutory or regulatory body.

Assessment Objectives

  1. AST-17_A01 Supply Chain Risk Management (SCRM) practices require the removal and prohibition of certain technology services and/or equipment that are designated as supply chain threats by a statutory or regulatory body.

Evidence Requirements

E-AST-10 Prohibited Equipment List (PEM)

Documented evidence of equipment identified by Federal Acquisition Regulation (FAR) section 889 prohibitions for certain telecommunications equipment.

Asset Management

Technology Recommendations

Micro/Small

  • IT Asset Management (ITAM) program

Small

  • IT Asset Management (ITAM) program

Medium

  • IT Asset Management (ITAM) program

Large

  • IT Asset Management (ITAM) program

Enterprise

  • IT Asset Management (ITAM) program

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free