CCI-005056

Disseminate an organization-level, mission/business process-level, and/or system-level supply chain risk management policy to organization-defined personnel or roles.

Implementation Guidance

Determine if: - a supply chain risk management policy is developed and documented. - the supply chain risk management policy is disseminated to [SR-01_ODP[01]; personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined].

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with supply chain risk management responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with acquisition responsibilities; organizational personnel with enterprise risk management responsibilities].

The controls below (if any) were marked by NIST as being related to CCI-005056.