GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

Ex1: Establish processes for terminating critical relationships under both normal and adverse circumstances

Ex2: Define and implement plans for component end-of-life maintenance support and obsolescence

Ex3: Verify that supplier access to organization resources is deactivated promptly when it is no longer needed

Ex4: Verify that assets containing the organization's data are returned or properly disposed of in a timely, controlled, and safe manner

Ex5: Develop and execute a plan for terminating or transitioning supplier relationships that takes supply chain security risk and resiliency into account

Ex6: Mitigate risks to data and systems created by supplier termination

Ex7: Manage data leakage risks associated with supplier termination

3rd: 3rd Party Risk