πΌ SR-6 Supplier Assessments and Reviews
Descriptionβ
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].
Similarβ
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
| πΌ FedRAMP High Security Controls β πΌ SR-6 Supplier Assessments and Reviews (M)(H) | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | | | 7 | |
| πΌ NIST CSF v2.0 β πΌ GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-04: Suppliers are known and prioritized by criticality | | | 7 | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship | | | 26 | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | | | | |
| πΌ NIST CSF v2.0 β πΌ ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use | | | | |
| πΌ NIST CSF v2.0 β πΌ ID.RA-10: Critical suppliers are assessed prior to acquisition | | | 26 | |
Sub Sectionsβ