ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
SA-4: Acquisition Process
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Assignment (one or more): standardized contract language, [Assignment: organization-defined contract language] ] in the acquisition contract for the system, system component, or system service: Security and privacy functional requirements; Strength of mechanism requirements; Security and privacy assurance requirements; Controls needed to satisfy the…
SA-9: External System Services
Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; Define and document organizational oversight and user roles and responsibilities with regard to external system services; and Employ the following processes, methods, and techniques to monitor control compliance by external service providers on…
SR-2: Supply Chain Risk Management Plan
Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services]; Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as…
SR-3: Supply Chain Controls and Processes
Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit…
SR-5: Acquisition Strategies, Tools, and Methods
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods].
Cloud Controls Matrix v3.0.1
CCC-01: New Development / Acquisition
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function.
CCC-02: Outsourced Development
External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g., ITIL service management processes).
STA-05: Supply Chain Agreements
Supply chain agreements (e.g., SLAs) between providers and customers (tenants) shall incorporate at least the following mutually-agreed upon provisions and/or terms: Scope of business relationship and services offered (e.g., customer (tenant) data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities…
Critical Security Controls Version 8
15: Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
NIST Special Publication 800-53 Revision 4
PM-9: Risk Management Strategy
The organization: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; Implements the risk management strategy consistently across the organization; and Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational…
SA-9: External Information System Services
The organization: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and Employs…
SA-11: Developer Security Testing And Evaluation
The organization requires the developer of the information system, system component, or information system service to: Create and implement a security assessment plan; Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; Produce evidence of the execution of the security assessment plan and the results of the security…
SA-12: Supply Chain Protection
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
Critical Security Controls Version 7.1
18: Application Software Security
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.