SR-6: Supplier Assessments and Reviews

CSF v1.1 References:

PF v1.0 References:


  • Low


  • Moderate
    • SR-6
  • High
    • SR-6
  • Privacy


Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: SA-12(2): Supplier Reviews.

Control Statement

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].

Supplemental Guidance

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

Control Enhancements

SR-6(1): Testing and Analysis


(Not part of any baseline)

Employ [Assignment (one or more): organizational analysis, independent third-party analysis, organizational testing, independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organization-defined supply chain elements, processes, and actors].