💼 SR-3 Supply Chain Controls and Processes

• ID: /frameworks/nist-sp-800-53-r5/sr/03

Stats

not available

Description

a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and c. Document the selected and implemented supply chain processes and controls in [Selection: security and privacy plans; supply chain risk management plan; [Assignment: organization-defined document]].

Similar

• Internal
  • ID: dec-c-e45d4a81

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 FedRAMP High Security Controls → 💼 SR-3 Supply Chain Controls and Processes (L)(M)(H)					no data
💼 FedRAMP Low Security Controls → 💼 SR-3 Supply Chain Controls and Processes (L)(M)(H)					no data
💼 NIST CSF v2.0 → 💼 GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered			7		no data
💼 NIST CSF v2.0 → 💼 GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders					no data
💼 NIST CSF v2.0 → 💼 GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally					no data
💼 NIST CSF v2.0 → 💼 GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes			10		no data
💼 NIST CSF v2.0 → 💼 GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties					no data
💼 NIST CSF v2.0 → 💼 GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship			26		no data
💼 NIST CSF v2.0 → 💼 GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities			1		no data
💼 NIST CSF v2.0 → 💼 GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle					no data
💼 NIST CSF v2.0 → 💼 GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement			1		no data
💼 NIST CSF v2.0 → 💼 RS.CO-02: Internal and external stakeholders are notified of incidents			31		no data
💼 NIST CSF v2.0 → 💼 RS.CO-03: Information is shared with designated internal and external stakeholders			19		no data
💼 NIST CSF v2.0 → 💼 RS.MA-01: The incident response plan is executed in coordination with relevant third parties once an incident is declared			1		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 SR-3(1) Supply Chain Controls and Processes _ Diverse Supply Base					no data
💼 SR-3(2) Supply Chain Controls and Processes _ Limitation of Harm					no data
💼 SR-3(3) Supply Chain Controls and Processes _ Sub-tier Flow Down					no data