GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

Ex1: Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship

Ex2: Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers

Ex3: Conduct supplier risk assessments against business and applicable cybersecurity requirements

Ex4: Assess the authenticity, integrity, and security of critical products prior to acquisition and use

3rd: 3rd Party Risk