💼 GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
- ID:
/frameworks/nist-csf-v2.0/gv-sc/05
Description​
- Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised
- Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language
- Define the rules and protocols for information sharing between the organization and its suppliers and sub-tier suppliers in agreements
- Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised
- Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle
- Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service
- Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products
- Contractually require suppliers to vet their employees and guard against insider threats
- Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections
- Specify in contracts and other agreements the rights and responsibilities of the organization, its suppliers, and their supply chains, with respect to potential cybersecurity risks
Similar​
- Sections
/frameworks/nist-csf-v1.1/id-sc/03/frameworks/nist-sp-800-53-r5/sa/04/frameworks/nist-sp-800-53-r5/sa/09/frameworks/nist-sp-800-53-r5/sr/03/frameworks/nist-sp-800-53-r5/sr/05/frameworks/nist-sp-800-53-r5/sr/06/frameworks/nist-sp-800-53-r5/sr/10
Similar Sections (Take Policies From)​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 NIST CSF v1.1 → 💼 ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization's cybersecurity program and Cyber Supply Chain Risk Management Plan | no data | ||||
| 💼 NIST SP 800-53 Revision 5 → 💼 SA-4 Acquisition Process | 12 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 SA-9 External System Services | 8 | 1 | 1 | no data | |
| 💼 NIST SP 800-53 Revision 5 → 💼 SR-3 Supply Chain Controls and Processes | 3 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 SR-5 Acquisition Strategies, Tools, and Methods | 2 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 SR-6 Supplier Assessments and Reviews | 1 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 SR-10 Inspection of Systems or Components | no data |
Sub Sections​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|