Back

Establish, implement, and maintain a supply chain risk management policy.


CONTROL ID
14663
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

This Control has the following implementation support Control(s):
  • Include compliance requirements in the supply chain risk management policy., CC ID: 14711
  • Include coordination amongst entities in the supply chain risk management policy., CC ID: 14710
  • Include management commitment in the supply chain risk management policy., CC ID: 14709
  • Include roles and responsibilities in the supply chain risk management policy., CC ID: 14708
  • Include the scope in the supply chain risk management policy., CC ID: 14707
  • Include the purpose in the supply chain risk management policy., CC ID: 14706
  • Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties., CC ID: 14662


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • financial entities' management of ICT third-party risk shall be implemented in light of the principle of proportionality, taking into account: (Art. 28.1.(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • As part of their ICT risk management framework, financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises, shall adopt, and regularly review, a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to … (Art. 28.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), FedRAMP Security Controls High Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least annually] and following [Assignment: organization-defined events]; and (SR-1c.1, FedRAMP Security Controls High Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., FedRAMP Security Controls High Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), FedRAMP Security Controls Low Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (SR-1c.1, FedRAMP Security Controls Low Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (SR-1c.1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SR-1c.1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SR-1c.1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SR-1c.1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • C-SCRM activities performed at Level 2 focus on assessing, responding to, and monitoring risk exposure arising from the mission and business process dependencies on suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. Risk exposure… (2.3.3. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Implement C-SCRM policies and requirements. (Level 3 Operational Activities Bullet 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The C-SCRM process should be carried out across the three risk management levels with the overall objective of continuous improvement of the enterprise's risk-related activities and effective inter- and intra-level communication, thus integrating both strategic and tactical activities among all stak… (2.3.1. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • C-SCRM requires accountability, commitment, oversight, direct involvement, and ongoing support from senior leaders and executives. Enterprises should ensure that C-SCRM roles and responsibilities are defined for senior leaders who participate in supply chain activities (e.g., acquisition and procure… (2.3.2. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • These leaders are also responsible and accountable for developing and promulgating a holistic set of policies that span the enterprise's mission and business processes, guiding the establishment and maturation of a C-SCRM capability and the implementation of a cohesive set of C-SCRM activities. Lead… (2.3.2. ¶ 6, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Informed by the risk framing process and the C-SCRM strategy, Level 1 provides the enterprise's C-SCRM policy. The C-SCRM policy establishes the C-SCRM program's purpose, outlines the enterprise's C-SCRM responsibilities, defines and grants authority to C-SCRM roles across the enterprise, and outlin… (2.3.2. ¶ 9, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Level 2 roles include representatives of each mission and business process, such as program managers, research and development, and acquisitions/procurement. Level 2 C-SCRM activities address C-SCRM within the context of the enterprise's mission and business process. Specific strategies, policies, a… (2.3.3. ¶ 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • To successfully address evolving cybersecurity risks throughout the supply chain, enterprises need to engage multiple internal processes and capabilities, communicate and collaborate across enterprise levels and mission areas, and ensure that all individuals within the enterprise understand their ro… (3. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SR-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SR-1c.1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; (PM-30a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Implement the supply chain risk management strategy consistently across the organization; and (PM-30b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SR-1c.1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; (PM-30a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Implement the supply chain risk management strategy consistently across the organization; and (PM-30b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SR-1c.1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Review and approve a supply chain security/risk management policy. (T0552, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SR-1c.1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; (PM-30a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement the supply chain risk management strategy consistently across the organization; and (PM-30b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (SR-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SR-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SR-1c.1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; (PM-30a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Implement the supply chain risk management strategy consistently across the organization; and (PM-30b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)