CCI-005122

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service.

Implementation Guidance

Determine if [SR-07_ODP; Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service are defined] are employed to protect supply chain-related information for the system, system component, or system service.

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management plan; supply chain risk management procedures; system and services acquisition policy; system and services acquisition procedures; procedures addressing supply chain protection; list of OPSEC controls to be employed; solicitation documentation; acquisition documentation; acquisition contracts for the system, system component, or system service; records of all-source intelligence analyses; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with OPSEC responsibilities; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for defining and employing OPSEC safeguards; mechanisms supporting and/or implementing the definition and employment of OPSEC safeguards].

The controls below (if any) were marked by NIST as being related to CCI-005122.