Chain of Custody and Critical Infrastructure Systems

Chain of custody is a complex process. Often associated with the preservation of evidence for law enforcement, chain of custody also plays an important role in security and risk mitigation for critical infrastructure sectors and their assets. Without secure chain of custody practices, critical infrastructure systems and assets could be unknowingly accessed and manipulated by threat actors. The integrity of critical infrastructure assets and systems could also be questioned, with the inability of critical infrastructure owners and operators to prove otherwise.

This CISA Insights provides an overview of what chain of custody is, highlights the potential impacts and risks resulting from a broken chain of custody, and offers critical infrastructure owners and operators an initial framework with five actionable steps for securing chain of custody for their physical and digital assets.


Chain of custody is a process used to track the movement and control of an asset through its lifecycle by documenting each person and organization who handles an asset, the date/time it was collected or transferred, and the purpose of the transfer. Examples of assets include equipment, infrastructure, evidence, systems, and data. Maintaining the chain of custody increases transparency and enables accountability for actions taken on the asset. In practice, chain-of-custody documentation can support risk mitigation by reducing the opportunity for malicious actors to tamper with the asset (e.g., equipment, data, or evidence).


A break in the chain of custody refers to a period during which control of an asset (e.g., systems, data, or infrastructure) is uncertain and during which actions taken on the asset are unaccounted for or unconfirmed. Such breaks present opportunities for malicious activity that may compromise the integrity of the asset. In the event that the chain of custody is broken, the integrity and reliability of the asset's system, components, and accompanying data should be evaluated as to whether they can be restored to their original state and reinstated into the asset.

A break in the chain of custody occurring due to a non-validated organization or bad actor gaining custody or access increases the risk that the integrity or reliability of the asset cannot be restored. The available information may not be sufficient to prove that the confidentiality, integrity, or availability of the asset was not compromised.


To address risk and improve security and resilience, owners and operators of critical infrastructure can utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to establish chain-of-custody standards, guidelines, and practices. NIST created the CSF—which is a flexible, repeatable, performance-based, and cost-effective model that consists of five concurrent and continuous functions—to improve risk management in critical infrastructure. The list of actionable steps for each CSF function include to Identify, Protect, Detect, Respond, and Recover.


Critical infrastructure owners and operators should routinely audit chain of custody processes to prove that the authenticity of the data collected has been maintained across all stages. Audits should look for evidence that demonstrates the effectiveness and durability of the procedures, processes, systems, and training. Trialing chain of custody processes also provides owners and operators the opportunity to ensure there are no gaps in the chain of custody process, and that sufficient evidence exists to maintain a defensible trail of collected data for a litigation or investigation.

Download this CISA Insights for examples of digital and physical chain of custody, potential impacts of a broken chain of custody, detailed information on each of the actionable steps, and more. 

Return to the CISA Insights webpage.

Attachment Media