Skip to main content

πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

  • Contextual name: πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
  • ID: /frameworks/nist-csf-v2.0/gv-sc/07
  • Located in: πŸ’Ό Cybersecurity Supply Chain Risk Management (GV.SC)

Description​

  1. Adjust assessment formats and frequencies based on the third party's reputation and the criticality of the products or services they provide
  2. Evaluate third parties' evidence of compliance with contractual cybersecurity requirements, such as self-attestations, warranties, certifications, and other artifacts
  3. Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, audits, tests, or other forms of evaluation
  4. Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly
  5. Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity

Similar​

  • Sections
    • /frameworks/nist-csf-v1.1/id-sc/02
    • /frameworks/nist-csf-v1.1/id-sc/04
    • /frameworks/nist-sp-800-53-r5/ra/09
    • /frameworks/nist-sp-800-53-r5/sa/04
    • /frameworks/nist-sp-800-53-r5/sa/09
    • /frameworks/nist-sp-800-53-r5/sr/03
    • /frameworks/nist-sp-800-53-r5/sr/06

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process77
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1619
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό RA-9 Criticality Analysis
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-4 Acquisition Process12
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-9 External System Services811
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SR-3 Supply Chain Controls and Processes3
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SR-6 Supplier Assessments and Reviews1

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags

Policies (26)​

PolicyLogic CountFlags
πŸ“ AWS Account Multi-Region CloudTrail is not enabled 🟒1🟒 x6
πŸ“ AWS CloudTrail S3 Bucket Access Logging is not enabled. 🟒1🟒 x6
πŸ“ AWS KMS Symmetric CMK Rotation is not enabled 🟒1🟒 x6
πŸ“ AWS S3 Bucket Server Access Logging is not enabled 🟒1🟒 x6
πŸ“ AWS VPC Flow Logs are not enabled 🟒1🟠 x1, 🟒 x5
πŸ“ Azure Diagnostic Setting for Azure Key Vault is not enabled 🟒🟒 x3
πŸ“ Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days 🟒1🟒 x6
πŸ“ Azure PostgreSQL Single Server log_connections Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure SQL Server Auditing Retention is less than 90 days 🟒1🟒 x6
πŸ“ Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests 🟒1🟒 x6
πŸ“ Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Create or Update Network Security Group does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Create or Update Security Solution does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Create Policy Assignment does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Delete Network Security Group does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Delete Policy Assignment does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Delete Security Solution does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For App Services is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For Containers is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For Key Vault is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For Servers is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For Storage is not set to On 🟒1🟒 x6