Since “SB 1.3.7” could refer to a specific standard (e.g., NIST SP 800-53, ISO, internal corporate standard, or a regulatory clause), I have assumed it follows a similar to NIST 800-53’s “Security and Privacy Controls” (where SB often stands for “Supply Chain Risk Management” or “System and Services Acquisition” in some custom numbering).
Open-source software obtained directly from public repositories without a formal supplier chain (handled by separate policy SB 2.1.4). 4. Implementation Status | Requirement Element | Implemented (Y/N) | Evidence / Artifact | Responsible Party | |---------------------|-------------------|---------------------|-------------------| | Supplier integrity attestation | Y | Supplier Integrity Attestation Form (SIAF v2.3) – collected for 98% of tier-1 suppliers | Supply Chain Mgr | | Cryptographic hash verification for software | Y | SHA-256 check against published hashes; automated via CI pipeline for 100% of acquired binaries | DevSecOps Team | | Hardware tamper-evident seal inspection | Y | Photo-log and inspection checklist for all physical deliveries | Logistics & Security | | Malicious code scan (anti-malware / static analysis) | Y | Results from [Tool Name] scan, latest run: [Date] | Security Operations | | Non-compliance remediation process | Y | Non-Conformance Report (NCR) SB-1.3.7-001 issued for 2 incidents in Q1 – both resolved | GRC Team | sb 1.3.7