GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

Ex1: Define and use rules and protocols for reporting incident response and recovery activities and the status between the organization and its suppliers

Ex2: Identify and document the roles and responsibilities of the organization and its suppliers for incident response

Ex3: Include critical suppliers in incident response exercises and simulations

Ex4: Define and coordinate crisis communication methods and protocols between the organization and its critical suppliers

Ex5: Conduct collaborative lessons learned sessions with critical suppliers

3rd: 3rd Party Risk