Skip to main content

πŸ’Ό GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

  • Contextual name: πŸ’Ό GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
  • ID: /frameworks/nist-csf-v2.0/gv-sc/09
  • Located in: πŸ’Ό Cybersecurity Supply Chain Risk Management (GV.SC)

Description​

  1. Policies and procedures require provenance records for all acquired technology products and services
  2. Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic
  3. Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software providers
  4. Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products
  5. Policies and procedure require checking upgrades to critical hardware for unauthorized changes

Similar​

  • Sections
    • /frameworks/nist-csf-v1.1/id-sc/01
    • /frameworks/nist-sp-800-53-r5/pm/09
    • /frameworks/nist-sp-800-53-r5/pm/19
    • /frameworks/nist-sp-800-53-r5/pm/28
    • /frameworks/nist-sp-800-53-r5/pm/30
    • /frameworks/nist-sp-800-53-r5/pm/31
    • /frameworks/nist-sp-800-53-r5/ra/03
    • /frameworks/nist-sp-800-53-r5/ra/07
    • /frameworks/nist-sp-800-53-r5/sa/04
    • /frameworks/nist-sp-800-53-r5/sa/09
    • /frameworks/nist-sp-800-53-r5/sr/02
    • /frameworks/nist-sp-800-53-r5/sr/03
    • /frameworks/nist-sp-800-53-r5/sr/05
    • /frameworks/nist-sp-800-53-r5/sr/06

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό PM-9 Risk Management Strategy
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό PM-19 Privacy Program Leadership Role
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό PM-28 Risk Framing
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό PM-30 Supply Chain Risk Management Strategy1
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό PM-31 Continuous Monitoring Strategy
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό RA-3 Risk Assessment4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό RA-7 Risk Response
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-4 Acquisition Process12
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-9 External System Services811
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SR-2 Supply Chain Risk Management Plan1
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SR-3 Supply Chain Controls and Processes3
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SR-5 Acquisition Strategies, Tools, and Methods2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SR-6 Supplier Assessments and Reviews1

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags