Navigate

CCI-004466

CCI-004466 Definition

Develop an organization-wide strategy for managing supply chain risks associated with the development of systems, system components, and system services.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - an organization-wide strategy for managing supply chain risks is developed. - the supply chain risk management strategy addresses risks associated with the development of systems. - the supply chain risk management strategy addresses risks associated with the development of system components. - the supply chain risk management strategy addresses risks associated with the development of system services. - the supply chain risk management strategy addresses risks associated with the acquisition of systems. - the supply chain risk management strategy addresses risks associated with the acquisition of system components. - the supply chain risk management strategy addresses risks associated with the acquisition of system services. - the supply chain risk management strategy addresses risks associated with the maintenance of systems. - the supply chain risk management strategy addresses risks associated with the maintenance of system components. - the supply chain risk management strategy addresses risks associated with the maintenance of system services. - the supply chain risk management strategy addresses risks associated with the disposal of systems. - the supply chain risk management strategy addresses risks associated with the disposal of system components. - the supply chain risk management strategy addresses risks associated with the disposal of system services.

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management strategy; organizational risk management strategy; enterprise risk management documents; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with supply chain risk management responsibilities; organizational personnel with information security responsibilities; organizational personnel with acquisition responsibilities; organizational personnel with enterprise risk management responsibilities].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004466.

Control	Description
PM-30	a: Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; b: Implement the supply chain risk management strategy consistently across the organization; and c: Review and update the supply chain risk management strategy on [the frequency for reviewing and updating the supply chain risk management strategy is defined;] or as required, to address organizational changes.

Control

Description

PM-30

a: Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;

b: Implement the supply chain risk management strategy consistently across the organization; and

c: Review and update the supply chain risk management strategy on [the frequency for reviewing and updating the supply chain risk management strategy is defined;] or as required, to address organizational changes.