Navigate

CCI-005057

CCI-005057 Definition

Develop and document an organization-level, mission/business process-level, and/or system-level supply chain risk management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - the [SR-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] supply chain risk management policy addresses purpose. - the [SR-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] supply chain risk management policy addresses scope. - [SR-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] supply chain risk management policy addresses roles. - the [SR-01_ODP[03];one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] supply chain risk management policy addresses responsibilities. - the [SR-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] supply chain risk management policy addresses management commitment. - the [SR-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] supply chain risk management policy addresses coordination among Organizational entities. - the [SR-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] supply chain risk management policy addresses compliance.

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with supply chain risk management responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with acquisition responsibilities; organizational personnel with enterprise risk management responsibilities].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-005057.

Control	Description
SR-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] supply chain risk management policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; b: Designate an [an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and c: Review and update the current supply chain risk management: 1: Policy [the frequency at which the current supply chain risk management policy is reviewed and updated is defined;] and following [events that require the current supply chain risk management policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;] and following [events that require the supply chain risk management procedures to be reviewed and updated are defined;].

Control

Description

SR-1

a: Develop, document, and disseminate to [one of ]:
- 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] supply chain risk management policy that:
  - (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  - (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- 2: Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

b: Designate an [an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

c: Review and update the current supply chain risk management:
- 1: Policy [the frequency at which the current supply chain risk management policy is reviewed and updated is defined;] and following [events that require the current supply chain risk management policy to be reviewed and updated are defined;] ; and
- 2: Procedures [the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;] and following [events that require the supply chain risk management procedures to be reviewed and updated are defined;].