CCI-003224

The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements. The organization being inspected/assessed will perform follow-on actions to address the weaknesses and deficiencies identified during assessments of supply chain (SC) elements (e.g., penetration testing, audits, verification/validation activities). Follow on actions may include: 1. Performing failure or forensic analysis on elements and processes to determine the cause of failure. Isolate and diagnose the elements of the component that are not performing properly and assess the origin and mechanisms of the failure. Assess the impact of the failure, ways to detect failures, and mitigating actions (including ways to detect failures and preventing future occurrences); 2. Initiate a plan to remediate vulnerabilities immediately upon detection which include: a. Identifying the weakness associated with the vulnerability; b. Determining the root cause and context; and c. Remediating the vulnerability, depending on the likelihood of its exploitation and the severity of its consequences. 3. Coordinating SC incident management activities with other organizations to ensure consistent and effective management of SC risk incidents; and 4. Following established procedures for reporting incidents. If no procedure has been established, determine what information should flow in and out, to who, and in what circumstances; 5. Establishing and maintain SC risk incident reporting connectivity to local, regional, and national incident management processes where established (e.g., IAVA, CERT/CC, US CERT, FBI, FISMA reporting), and possibly intelligence processes.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for establishing processes to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

The controls below (if any) were marked by NIST as being related to CCI-003224.