ID.SC: Supply Chain Risk Management

Description

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

Framework Subcategories

ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders

[csf.tools Note: Subcategories do not have detailed descriptions.]

ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process

[csf.tools Note: Subcategories do not have detailed descriptions.]

ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan

[csf.tools Note: Subcategories do not have detailed descriptions.]

ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations

[csf.tools Note: Subcategories do not have detailed descriptions.]

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers

[csf.tools Note: Subcategories do not have detailed descriptions.]