IR-4(10): Supply Chain Coordination

Control Family:

Incident Response

CSF v2.0 References:


(Not part of any baseline)

Previous Version:

Control Statement

Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.

Supplemental Guidance

Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents can occur anywhere through or to the supply chain and include compromises or breaches that involve primary or sub-tier providers, information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations consider including processes for protecting and sharing incident information in information exchange agreements and their obligations for reporting incidents to government oversight bodies (e.g., Federal Acquisition Security Council).