CCI-005150

Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.

Implementation Guidance

Determine if: - suppliers of critical or mission-essential technologies, products, and services are identified. - suppliers of critical or mission-essential technologies, products, and services are prioritized. - suppliers of critical or mission-essential technologies, products, and services are assessed.

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management strategy; organization-wide risk management strategy; enterprise risk management documents; inventory records or suppliers; assessment and prioritization documentation; critical or mission-essential technologies, products, and service documents or records; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with supply chain risk management responsibilities; organizational personnel with information security responsibilities; organizational personnel with acquisition responsibilities; organizational personnel with enterprise risk management responsibilities]. Test: [SELECT FROM: Organizational processes for identifying, prioritizing, and assessing critical or mission-essential technologies, products, and services; organizational processes for maintaining an inventory of suppliers; organizational process for associating suppliers with critical or mission-essential technologies, products, and services].

The controls below (if any) were marked by NIST as being related to CCI-005150.