Navigate

CCI-005087

CCI-005087 Definition

Limit the harm or consequences from supply chain-related events.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Determine if [SR-03_ODP[03]; supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined] are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events.

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; supply chain risk management strategy; supply chain risk management plan; systems and critical system components inventory documentation; system and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of information security and privacy requirements into the acquisition process; solicitation documentation; acquisition documentation (including purchase orders); service level agreements; acquisition contracts for systems or services; risk register documentation; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for identifying and addressing supply chain element and process deficiencies].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-005087.

Control	Description
SR-3	a: Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;] in coordination with [supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;]; b: Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;] ; and c: Document the selected and implemented supply chain processes and controls in [one or more of "security and privacy plans"/"supply chain risk management plan"/"{{ insert: param, sr-03_odp.05 }} "].

Control

Description

SR-3

a: Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;] in coordination with [supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;];

b: Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;] ; and

c: Document the selected and implemented supply chain processes and controls in [one or more of "security and privacy plans"/"supply chain risk management plan"/"{{ insert: param, sr-03_odp.05 }} "].