CCI-003205

The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.

Implementation Guidance

The organization being inspected/assessed documents and implements a process IAW DoDI 5200.44 to use all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service. All-source intelligence of suppliers that the organization may use includes: 1. Defense Intelligence Agency (DIA) Threat Assessment Center (TAC), the enterprise focal point for supplier threat assessments for the DoD acquisition community risks; 2. Other U.S. Government resources including: a. Government Industry Data Exchange Program (GIDEP) – Database where government and industry can record issues with suppliers, including counterfeits; and b. System for Award Management (SAM) – Database of companies that are barred from doing business with the US Government. 3. Open source and commercial research.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements a process IAW DoDI 5200.44 to use all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for implementation of the all-source intelligence of suppliers and potential suppliers of the information system, system component, or information system service.

The controls below (if any) were marked by NIST as being related to CCI-003205.