03.17.02 —
What this control requires
Source: NIST SP 800-171 R3 §03.17.02 (official control text).
Why this matters
This control ensures organizations don't unknowingly introduce compromised hardware, software, or services into their environment through the procurement process. Without deliberate acquisition safeguards, attackers can insert backdoors during manufacturing, counterfeit components can create reliability gaps, or malicious code can arrive pre-installed from unvetted vendors. These supply chain attacks bypass perimeter defenses entirely because the threat originates inside trusted products. Implementing acquisition strategies protects the organization from nation-state compromises, intellectual property theft embedded in equipment, and cascading failures from substandard components that appear legitimate.
What evidence assessors expect
Assessors typically look for: PDF, training certificate. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
See your live posture on 03.17.02.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →