CCI-003200

The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to conduct a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service. Examples of items that can be considered in the review are the supplier’s: 1. Organization and process certifications; 2. Security policies, procedures, and activities across the lifecycle; 3. Supply chain and the criteria and methodology for selecting/managing their suppliers/service providers; 4. Financials to determine if the supplier is financially stable; 5. Foreign Ownership, Control, and Influence; 6. Past performance and any documented supply chain incidents; 7. Business relationships; and 8. Maturity of business processes. The organization must maintain a record of supplier review.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of supplier review to ensure the organization being inspected/assessed documents and implements a process to conduct a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan showing supplier review prior to procurement of Information System, system components or Services from suppliers.

The controls below (if any) were marked by NIST as being related to CCI-003200.