SA-19(1): Anti-counterfeit Training

To meet the sa-19(1): anti-counterfeit training requirement, you must implement role-appropriate training that teaches staff how to prevent, detect, report, and respond to counterfeit components across the system and supply chain, then retain proof the training is assigned, completed, and refreshed. Operationalize it by defining scope, assigning ownership, training targeted roles, and producing assessment-ready evidence mapped to SA-19(1). ¹

Key takeaways:

• Train the people who touch procurement, receiving, integration, maintenance, and incident response for component authenticity risks.
• Build the control around auditable operations: assignments, completion logs, content, refresh cadence, and exception handling.
• Evidence is the exam risk: missing artifacts is a common failure mode even when training occurred. ¹

SA-19(1) sits in the System and Services Acquisition family and focuses on a practical point: counterfeit hardware, software, and components are a security problem and a supply chain problem. For many programs, the technical controls (secure boot, code signing, inventory) get attention, while the operational reality of procurement, receiving, and maintenance workflows gets less scrutiny. SA-19(1) forces you to close that gap by training the people who make day-to-day decisions that can admit counterfeit items into your environment.

For a CCO, GRC lead, or Compliance Officer, “training” only passes an assessment if you can show (1) who must take it, (2) what it covers, (3) that it was completed, (4) that it is kept current, and (5) that it ties to the organization’s broader anti-counterfeit and supply chain security practices. Your fastest path is to treat SA-19(1) like an operational control with a clear owner, a simple procedure, and recurring evidence artifacts that are easy to produce on demand. ¹

Regulatory text

Excerpt (as provided): “NIST SP 800-53 control SA-19.1.” ²

Operator meaning: You must implement anti-counterfeit training as an explicit, assessable control enhancement under SA-19. In practice, auditors will expect a defined training requirement tied to anti-counterfeit and supply chain protections, targeted audiences based on job function, and objective evidence that training is delivered and maintained. ¹

Plain-English interpretation (what SA-19(1) requires)

SA-19(1) expects you to train relevant personnel to reduce the risk that counterfeit components enter, persist in, or compromise your systems. The control is not satisfied by generic security awareness alone. The training must cover counterfeit-specific risks and the actions staff must take in your organization’s workflows: how to spot red flags, what to do when something looks wrong, and how to escalate without slowing critical operations or creating blame-driven underreporting. ¹

Who it applies to

Entity scope

• Federal information systems and programs adopting NIST SP 800-53 Rev. 5 controls. ¹
• Contractors and other third parties handling federal data or operating systems on behalf of federal agencies where SA-family controls are flowed down contractually. ¹

Operational context (who must be trained) Train based on exposure to supply chain decisions, not org chart seniority. Typical in-scope roles:

• Procurement and sourcing staff (including purchasing card holders where applicable)
• Third-party risk management (TPRM) and supplier management
• Receiving/warehouse and asset intake teams
• IT asset management (ITAM) and configuration management
• Engineers/architects approving parts, images, or bill of materials (BOM/SBOM) inputs
• Data center/field service technicians performing break/fix
• Security operations and incident response (IR) for escalation/triage
• Quality assurance and internal audit (as validators)

What you actually need to do (step-by-step)

1) Assign a control owner and write a one-page procedure

Pick one accountable owner (often Supply Chain, Security, or GRC). Document:

• Purpose: prevent/detect/respond to counterfeit components
• Scope: which systems, locations, and component types (hardware, firmware, software media, spares)
• Training audiences by role and how you identify them (HR job codes, AD groups, ticketing roles)
• Training frequency/refresh trigger (e.g., onboarding, role change, and periodic refresh as you define)
• Exceptions process (temporary access, contractors, emergency maintenance) and compensating steps

This is the “show me” document in an assessment because it turns a training idea into an operated control. ¹

2) Define training content as outcomes, then map to your workflows

Write the training as required behaviors, then match them to real steps in your intake lifecycle:

Minimum topics to cover (practical set)

• What “counterfeit” means for your environment (unauthorized, altered, substituted, falsified provenance)
• Common red flags: packaging anomalies, serial mismatches, unusual pricing/lead times, documentation gaps, supplier changes
• Approved sourcing channels and prohibited channels
• Receiving and inspection steps: verify shipment integrity, verify identifiers, quarantine process
• Chain of custody expectations for sensitive components
• What to do if suspected: stop use, isolate/quarantine, preserve evidence, escalate
• Reporting path: who gets notified (Security, Supply Chain, Program, Legal/Contracts as needed)
• Interaction with incident response and problem management

Then explicitly tie these to your existing processes (procure-to-pay, receiving SOPs, ticketing, CMDB updates). Training that is disconnected from workflow will fail in practice and is hard to defend in an audit. ¹

3) Build role-based training assignments (avoid “everyone gets the same module”)

Create at least two tiers:

• Tier A (high exposure): procurement, receiving, ITAM/CM, engineers approving components, field service, security/IR
• Tier B (general exposure): IT staff who request parts, project managers who approve suppliers, help desk leaders

Add micro-modules for niche roles (example: data center technicians get a short “quarantine and escalation” runbook walkthrough). Maintain a matrix that shows “role → required module(s) → system(s) for completion tracking.” ¹

4) Implement delivery and tracking in a system you can evidence

Use your LMS if you have one. If you don’t, use a controlled process with:

• Roster assignment records
• Completion attestations (signed or system-logged)
• Version-controlled training materials
• A retrievable report format (CSV/PDF export)

Your objective is not training elegance; it is repeatable delivery with clean evidence. ¹

5) Add a simple “counterfeit suspicion” operating loop

Training must connect to action. Establish:

• A quarantine label and storage location (physical and logical)
• A ticket type or incident category for “suspected counterfeit component”
• A triage owner (Supply Chain or Security, depending on your model)
• A decision record: disposition, supplier notification path, and lessons learned updates to training content

Close the loop by updating training when a real event happens or when suppliers/parts change. ¹

6) Make it assessment-ready: map, test, and refresh evidence

Create a control mapping entry in your control library:

• Control statement for SA-19(1)
• Owner, system scope
• Procedure link
• Evidence list with collection frequency
• Last test date and tester (internal audit, GRC testing, or security assurance)

If you use Daydream, store the SA-19(1) mapping, owner, procedure, and evidence artifacts in one place so you can answer assessor requests with a single export and avoid last-minute screenshot hunts. ¹

Required evidence and artifacts to retain

Keep artifacts that prove both design and operation:

Design evidence

• Anti-counterfeit training procedure (version-controlled)
• Training content (slides, module text, quiz questions if used)
• Role-to-training matrix (who is required to take what)
• Workflow references (receiving SOP, procurement policy excerpts, quarantine/runbook)

Operating evidence

• Training assignment roster (by role or named individuals)
• Completion logs (with dates, module version, and user identity)
• New-hire and role-change assignment records
• Exception approvals and compensating controls
• Records of updates to training after process changes or incidents (change log)

Common exam/audit questions and hangups

Assessors tend to press on these points for SA-19(1):

1. “Who is in scope, and how do you know you didn’t miss anyone?” Expect to show a repeatable roster logic (job codes, access groups, procurement authority lists).
2. “Show me the training content and how it relates to your process.” Generic awareness content will draw follow-up questions.
3. “How do contractors and third-party staff get trained?” Contract language plus completion evidence is the cleanest answer.
4. “What happens when someone suspects a counterfeit?” They will look for an escalation path and proof it is known by staff.
5. “How do you keep training current?” A defined trigger (policy change, supplier change, incident) is easier to defend than “as needed.” ¹

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
One generic module for all staff	High-risk roles need workflow-specific steps	Use a tiered model and a role-to-training matrix
Training exists but no completion evidence	Audits grade evidence, not intent	Centralize logs and exportable reports
No quarantine/escalation mechanism	Staff learn theory but cannot act	Add a ticket category, owner, and quarantine steps
Scope limited to procurement only	Counterfeit entry points include receiving and maintenance	Include receiving, ITAM/CM, engineering, field service
No version control	You cannot prove what was taught at a given time	Track content versions and effective dates

Enforcement context and risk implications (practical)

No public enforcement cases were provided in the available source catalog for this requirement. ²

Operationally, counterfeit components can create security exposure (malicious modification, hidden functionality, unpatched firmware), reliability failures, and contractual noncompliance risk where federal requirements are flowed down. The direct assessment risk for SA-19(1) is simpler: if you cannot show training is assigned, completed, and maintained for in-scope roles, you will struggle to pass control testing even if your teams are generally competent. ¹

Practical 30/60/90-day execution plan

First 30 days (stand up the control)

• Name a control owner and back-up.
• Draft the one-page anti-counterfeit training procedure.
• Identify in-scope roles and build the initial roster logic.
• Collect or draft training content aligned to your intake/receiving/maintenance workflows.
• Decide your tracking system (LMS or controlled spreadsheet + attestations) and reporting format. ¹

Days 31–60 (deliver and prove operation)

• Assign Tier A training and require completion.
• Pilot the counterfeit suspicion workflow: quarantine step + ticket category + triage owner.
• Run a table-top scenario: “suspected counterfeit spare part discovered during maintenance.”
• Produce your first evidence pack: roster, completions, content version, and procedure. ¹

Days 61–90 (harden for assessments)

• Expand to Tier B training where appropriate.
• Add contractor/third-party training requirements into onboarding and contract checklists.
• Implement periodic reporting to control owner: overdue training, exceptions, and trend notes.
• Perform a control self-test: sample completions, verify role scoping, confirm evidence retrievability.
• Store the mapping, procedure, and recurring artifacts in Daydream (or your GRC system) so SA-19(1) stays audit-ready. ¹

Frequently Asked Questions

Does SA-19(1) require training for all employees?

SA-19(1) is best implemented as role-based training focused on personnel who can introduce, accept, install, or approve components. You can still provide a lighter module to general staff, but auditors will focus on high-exposure roles. ¹

Can we satisfy SA-19(1) with general security awareness training?

Usually no. You need counterfeit-specific content tied to procurement, receiving, maintenance, and escalation workflows, plus evidence that in-scope roles completed it. ¹

What evidence do auditors ask for first?

Expect requests for the training procedure, the training content, the roster of required trainees, and completion logs that show dates and module version. If you cannot export completion reports, fix that before an assessment. ¹

How should we handle contractors or third-party technicians?

Define whether they complete your training or provide equivalent training evidence. Then enforce it through onboarding and contractual requirements, and retain completion or attestation records with the engagement documentation. ¹

What if we buy hardware only from “trusted” resellers?

Keep the training anyway. Staff still need to recognize red flags, follow receiving checks, and know the escalation path for anomalies like mismatched serials or unexpected substitutions. ¹

How do we keep SA-19(1) from turning into a yearly scramble?

Treat it as a recurring control with defined evidence artifacts and a standard export. In Daydream, maintain the SA-19(1) mapping, owner, procedure, and evidence checklist so you can refresh artifacts on schedule and respond to requests quickly. ¹

Footnotes

1. NIST SP 800-53 Rev. 5

2. NIST SP 800-53 Rev. 5 OSCAL JSON