SA-12(15): Processes To Address Weaknesses Or Deficiencies

Control Family:

System And Services Acquisition

Parent Control:

SA-12: Supply Chain Protection

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

Baselines:

(Not part of any baseline)

Control is withdrawn in the next version of this control set and incorporated into: SR-3: Supply Chain Controls and Processes.

Control Statement

The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

Supplemental Guidance

Evidence generated during independent or organizational assessments of supply chain elements (e.g., penetration testing, audits, verification/validation activities) is documented and used in follow-on processes implemented by organizations to respond to the risks related to the identified weaknesses and deficiencies. Supply chain elements include, for example, supplier development processes and supplier distribution systems.