💼 GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

• ID: /frameworks/nist-csf-v2.0/gv-sc/07

Description

1. Adjust assessment formats and frequencies based on the third party's reputation and the criticality of the products or services they provide
2. Evaluate third parties' evidence of compliance with contractual cybersecurity requirements, such as self-attestations, warranties, certifications, and other artifacts
3. Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, audits, tests, or other forms of evaluation
4. Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly
5. Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity

Similar

• Sections
  • /frameworks/nist-csf-v1.1/id-sc/02
  • /frameworks/nist-csf-v1.1/id-sc/04
  • /frameworks/nist-sp-800-53-r5/ra/09
  • /frameworks/nist-sp-800-53-r5/sa/04
  • /frameworks/nist-sp-800-53-r5/sa/09
  • /frameworks/nist-sp-800-53-r5/sr/03
  • /frameworks/nist-sp-800-53-r5/sr/06

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 NIST CSF v1.1 → 💼 ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process		7	7		no data
💼 NIST CSF v1.1 → 💼 ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations		15	19		no data
💼 NIST SP 800-53 Revision 5 → 💼 RA-9 Criticality Analysis					no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-4 Acquisition Process	12				no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-9 External System Services	8	1	1		no data
💼 NIST SP 800-53 Revision 5 → 💼 SR-3 Supply Chain Controls and Processes	3				no data
💼 NIST SP 800-53 Revision 5 → 💼 SR-6 Supplier Assessments and Reviews	1				no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (26)

Policy	Logic Count	Flags	Compliance
🛡️ AWS CloudFront Distribution Logging is not enabled🟢	1	🟢 x6	no data
🛡️ AWS CloudTrail S3 Bucket Access Logging is not enabled.🟢	1	🟢 x6	no data
🛡️ AWS KMS Symmetric CMK Rotation is not enabled🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket Server Access Logging is not enabled🟢	1	🟢 x6	no data
🛡️ AWS VPC Flow Logs are not enabled🟢	1	🟠 x1, 🟢 x5	no data
🛡️ Azure Diagnostic Setting for Azure Key Vault is not enabled🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON🟢	1	🟢 x6	no data
🛡️ Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days🟢	1	🟢 x6	no data
🛡️ Azure PostgreSQL Single Server log_connections Parameter is not set to ON🟢	1	🟢 x6	no data
🛡️ Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON🟢	1	🟢 x6	no data
🛡️ Azure SQL Server Auditing Retention is less than 90 days🟢	1	🟢 x6	no data
🛡️ Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests🟢	1	🟢 x6	no data
🛡️ Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests🟢	1	🟢 x6	no data
🛡️ Azure Subscription Activity Log Alert for Create or Update Network Security Group does not exist🟢	1	🟢 x6	no data
🛡️ Azure Subscription Activity Log Alert for Create or Update Security Solution does not exist🟢	1	🟢 x6	no data
🛡️ Azure Subscription Activity Log Alert for Create Policy Assignment does not exist🟢	1	🟢 x6	no data
🛡️ Azure Subscription Activity Log Alert for Delete Network Security Group does not exist🟢	1	🟢 x6	no data
🛡️ Azure Subscription Activity Log Alert for Delete Policy Assignment does not exist🟢	1	🟢 x6	no data
🛡️ Azure Subscription Activity Log Alert for Delete Security Solution does not exist🟢	1	🟢 x6	no data
🛡️ Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On🟢	1	🟢 x6	no data
🛡️ Azure Subscription Microsoft Defender For App Services is not set to On🟢	1	🟢 x6	no data
🛡️ Azure Subscription Microsoft Defender For Containers is not set to On🟢	1	🟢 x6	no data
🛡️ Azure Subscription Microsoft Defender For Key Vault is not set to On🟢	1	🟢 x6	no data
🛡️ Azure Subscription Microsoft Defender For Servers is not set to On🟢	1	🟢 x6	no data
🛡️ Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On🟢	1	🟢 x6	no data
🛡️ Azure Subscription Microsoft Defender For Storage is not set to On🟢	1	🟢 x6	no data