GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

Ex1: Policies and procedures require provenance records for all acquired technology products and services

Ex2: Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic

Ex3: Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software providers

Ex4: Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products

Ex5: Policies and procedure require checking upgrades to critical hardware for unauthorized changes

3rd: 3rd Party Risk