A company is required to use certified hardware when building networks. Which of the following best addresses the risks associated with procuring counterfeit hardware?

While a legally enforceable acquisition policy can help establish guidelines for procurement, it does not actively address the risks associated with counterfeit hardware. Without the implementation of a supply chain analysis, such a policy may not effectively prevent counterfeit products from being acquired, as it lacks the detailed oversight necessary to verify supplier authenticity.

Though a right to audit clause can provide some level of oversight, it is reactive rather than proactive. Auditing vendors after they have been engaged does not prevent counterfeit hardware from being supplied initially. This approach relies on post-purchase verification, which might still allow counterfeit items to cause issues before detection occurs.

In-depth penetration tests focus on the security of systems rather than the authenticity of hardware products. While important for cybersecurity, this option does not directly address the procurement of counterfeit hardware. It assesses vulnerabilities within existing systems rather than ensuring that the hardware being used is legitimate and certified.