💼 SR-2 Supply Chain Risk Management Plan
- ID:
/frameworks/nist-sp-800-53-r5/sr/02
Description​
a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services];
b. Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes; and
c. Protect the supply chain risk management plan from unauthorized disclosure and modification.
Similar​
Similar Sections (Give Policies To)​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|
| 💼 FedRAMP High Security Controls → 💼 SR-2 Supply Chain Risk Management Plan (L)(M)(H) | 1 | | | | no data |
| 💼 FedRAMP Low Security Controls → 💼 SR-2 Supply Chain Risk Management Plan (L)(M)(H) | 1 | | | | no data |
| 💼 NIST CSF v2.0 → 💼 GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders | | | | | no data |
| 💼 NIST CSF v2.0 → 💼 GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | | | | | no data |
| 💼 NIST CSF v2.0 → 💼 GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated | | | | | no data |
| 💼 NIST CSF v2.0 → 💼 GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders | | | | | no data |
| 💼 NIST CSF v2.0 → 💼 GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally | | | | | no data |
| 💼 NIST CSF v2.0 → 💼 GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes | | | 10 | | no data |
| 💼 NIST CSF v2.0 → 💼 GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | | | 1 | | no data |
| 💼 NIST CSF v2.0 → 💼 GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | | | | | no data |
| 💼 NIST CSF v2.0 → 💼 GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | | | 1 | | no data |
| 💼 NIST CSF v2.0 → 💼 ID.AM-04: Inventories of services provided by suppliers are maintained | | | | | no data |
| 💼 NIST CSF v2.0 → 💼 ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved | | | 3 | | no data |
Sub Sections​