CCI-005119

Implementation Guidance

Determine if the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed [SR-06_ODP; the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined].

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management strategy; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; records of supplier due diligence reviews; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities]. Test: [SELECT FROM: Organizational processes for conducting supplier reviews; mechanisms supporting and/or implementing supplier reviews].