CCI-005121

Defines the supply chain elements, processes, and actors for employing organizational analysis, independent third-party analysis, organizational testing, and/or independent third-party testing.

Implementation Guidance

Determine if [SR-06(01)_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {organizational analysis; independent third-party analysis; organizational testing; independent third-party testing}] is/are employed on [SR-06(01)_ODP[02]; supply chain elements, processes, and actors to be analyzed and tested are defined] associated with the system, system component, or system service.

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; evidence of organizational analysis, independent third-party analysis, organizational penetration testing, and/or independent third-party penetration testing; list of supply chain elements, processes, and actors (associated with the system, system component, or system service) subject to analysis and/or testing; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities; organizational personnel with responsibilities for analyzing and/or testing supply chain elements, processes, and actors]. Test: [SELECT FROM: Organizational processes for defining and employing methods of analysis/testing of supply chain elements, processes, and actors; mechanisms supporting and/or implementing the analysis/testing of supply chain elements, processes, and actors].

The controls below (if any) were marked by NIST as being related to CCI-005121.