CCI-004626

Update the supply chain risk assessment on an organization-defined frequency when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

Implementation Guidance

Determine if the supply chain risk assessment is updated [RA-03(01)_ODP[02]; the frequency at which to update the supply chain risk assessment is defined], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy; inventory of critical systems, system components, and system services; risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of supply chain risk; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; acquisition policy; system security plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities; organizational personnel with security responsibilities; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for risk assessment; mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment].

The controls below (if any) were marked by NIST as being related to CCI-004626.