SR-4

Provenance

Supply Chain Risk Management

The organization establishes and maintains provenance over information, information systems, system components, and information system services.

High PriorityAI-Relevant Control

Purpose

Track and verify the origin and history of information, systems, and services.

AI Relevance

Essential for tracking the origin and history of AI models, training data, and AI system components to ensure trust and authenticity.

Implementation Guidance

Implement provenance tracking systems, establish documentation requirements, and create verification procedures for all supply chain components.

Assessment

Review provenance documentation, verify provenance tracking, test provenance verification procedures, and validate provenance controls.

Requirements

  • 1Establish provenance over information
  • 2Maintain provenance over information
  • 3Establish provenance over information systems
  • 4Maintain provenance over information systems
  • 5Establish provenance over system components
  • 6Maintain provenance over system components
  • 7Establish provenance over information system services
  • 8Maintain provenance over information system services
  • 9Document provenance information
  • 10Verify provenance information

Related Controls

SR-1: Supply Chain Risk Management Policy and ProceduresSR-2: Supply Chain Risk Management PlanSR-3: Supply Chain Controls and ProcessesSR-5: Acquisition Strategies, Tools, and Methods

References

NIST SP 800-53 Rev 5NIST Cybersecurity Supply Chain Risk Management

Framework Context

NIST 800-53 Rev 5

Security and Privacy Controls for Federal Information Systems

Official Documentation →

NIST AI RMF

AI Risk Management Framework

AI RMF Documentation →

OWASP AISVS

AI Security Verification Standard

AISVS Documentation →