πΌ GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
- Contextual name: πΌ GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
- ID:
/frameworks/nist-csf-v2.0/gv-sc/05 - Located in: πΌ Cybersecurity Supply Chain Risk Management (GV.SC)
Descriptionβ
- Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised
- Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language
- Define the rules and protocols for information sharing between the organization and its suppliers and sub-tier suppliers in agreements
- Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised
- Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle
- Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service
- Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products
- Contractually require suppliers to vet their employees and guard against insider threats
- Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections
- Specify in contracts and other agreements the rights and responsibilities of the organization, its suppliers, and their supply chains, with respect to potential cybersecurity risks
Similarβ
- Sections
/frameworks/nist-csf-v1.1/id-sc/03/frameworks/nist-sp-800-53-r5/sa/04/frameworks/nist-sp-800-53-r5/sa/09/frameworks/nist-sp-800-53-r5/sr/03/frameworks/nist-sp-800-53-r5/sr/05/frameworks/nist-sp-800-53-r5/sr/06/frameworks/nist-sp-800-53-r5/sr/10
Similar Sections (Take Policies From)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ NIST CSF v1.1 β πΌ ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization's cybersecurity program and Cyber Supply Chain Risk Management Plan | ||||
| πΌ NIST SP 800-53 Revision 5 β πΌ SA-4 Acquisition Process | 12 | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ SA-9 External System Services | 8 | 1 | 1 | |
| πΌ NIST SP 800-53 Revision 5 β πΌ SR-3 Supply Chain Controls and Processes | 3 | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ SR-5 Acquisition Strategies, Tools, and Methods | 2 | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ SR-6 Supplier Assessments and Reviews | 1 | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ SR-10 Inspection of Systems or Components |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|