Analyze supply chain risk management procedures, as necessary.

Back

CONTROL ID
13198

CONTROL TYPE
Process or Activity

CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Include supply chain risk management procedures in the risk management program., CC ID: 13190

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

Reading sample contracts with subservice organizations and associated performance or service-level agreements and other documentation to understand how the service organization's contracting process addresses security-related matters; the interrelationship between the service organization and its su… (¶ 3.50 Bullet 5, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (SR-1c.2., FedRAMP Security Controls High Baseline, Version 5)
Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (SR-1c.2., FedRAMP Security Controls Low Baseline, Version 5)
Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (SR-1c.2., FedRAMP Security Controls Moderate Baseline, Version 5)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (SR-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (SR-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (SR-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (SR-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (SR-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes. (PM-30c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (SR-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes. (PM-30c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (SR-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Assess, respond to, and monitor supply chain risks associated with organizational systems and system components. (3.11.6e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders (ID.SC-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders (ID.SC-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (SR-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes. (PM-30c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (SR-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes. (PM-30c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)