πΌ PM-30 Supply Chain Risk Management Strategy
- Contextual name: πΌ PM-30 Supply Chain Risk Management Strategy
- ID:
/frameworks/nist-sp-800-53-r5/pm/30
- Located in: πΌ PM Program Management
Descriptionβ
a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;
- Implement the supply chain risk management strategy consistently across the organization; and
(a) Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes.
Similarβ
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
| πΌ NIST CSF v2.0 β πΌ DE.AE-04: The estimated impact and scope of adverse events are understood | | | 14 | |
| πΌ NIST CSF v2.0 β πΌ GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | | | 7 | |
| πΌ NIST CSF v2.0 β πΌ GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated | | | 4 | |
| πΌ NIST CSF v2.0 β πΌ GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes | | | 7 | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | | | | |
| πΌ NIST CSF v2.0 β πΌ ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated | | | 7 | |
Sub Sectionsβ