CCI-005073

Defines the systems, system components, or system services that a plan for managing supply chain risks are developed.

Implementation Guidance

Determine if: - a plan for managing supply chain risks is developed. - the supply chain risk management plan addresses risks associated with the research and development of [SR-02_ODP[01]; systems, system components, or system services for which a supply chain risk management plan is developed are defined]. - the supply chain risk management plan addresses risks associated with the design of [SR-02_ODP[01]; systems, system components, or system services for which a supply chain risk management plan is developed are defined]. - the supply chain risk management plan addresses risks associated with the manufacturing of [SR-02_ODP[01]; systems, system components, or system services for which a supply chain risk management plan is developed are defined]. - the supply chain risk management plan addresses risks associated with the acquisition of [SR-02_ODP[01]; systems, system components, or system services for which a supply chain risk management plan is developed are defined]. - the supply chain risk management plan addresses risks associated with the delivery of [SR-02_ODP[01]; systems, system components, or system services for which a supply chain risk management plan is developed are defined]. - the supply chain risk management plan addresses risks associated with the integration of [SR-02_ODP[01]; systems, system components, or system services for which a supply chain risk management plan is developed are defined]. - the supply chain risk management plan addresses risks associated with the operation and maintenance of [SR-02_ODP[01]; systems, system components, or system services for which a supply chain risk management plan is developed are defined]. - the supply chain risk management plan addresses risks associated with the disposal of [SR-02_ODP[01]; systems, system components, or system services for which a supply chain risk management plan is developed are defined].

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; supply chain risk management plan; system and services acquisition policy; system and services acquisition procedures; procedures addressing supply chain protection; procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification; system development life cycle procedures; procedures addressing the integration of information security and privacy requirements into the acquisition process; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; list of supply chain threats; list of safeguards to be taken against supply chain threats; system life cycle documentation; inter-organizational agreements and procedures; system security plan; privacy plan; privacy program plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for defining and documenting the system development life cycle (SDLC); organizational processes for identifying SDLC roles and responsibilities; organizational processes for integrating supply chain risk management into the SDLC; mechanisms supporting and/or implementing the SDLC].

The controls below (if any) were marked by NIST as being related to CCI-005073.