Navigate

SI-2(7)

SI-2(7): Root Cause Analysis

a: Conduct root cause analysis to identify underlying causes of issues or failures.

b: Develop actions to address the root cause of the issue or failure.

c: Implement the actions and monitor the implementation for effectiveness.

Supplemental

Root cause analysis includes a wide range of approaches, tools, and techniques to systematically identify the underlying cause of issues or failures to systems and systems components (hardware, software, and firmware). Organizations consider the severity of the incident to determine what root cause analysis method is used and how quickly implementation of the remediation actions. The root cause analysis includes a timeline, missed warning signs, key decisions, gaps, mitigations, and verification of effectiveness. The actions identified to address the source of the issue are implemented and integrated into applicable organizational policy, procedures, and control implementation.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-2(7).

Control	Description
AC-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] access control policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the access control policy and the associated access controls; b: Designate an [an official to manage the access control policy and procedures is defined;] to manage the development, documentation, and dissemination of the access control policy and procedures; and c: Review and update the current access control: 1: Policy [the frequency at which the current access control policy is reviewed and updated is defined;] and following [events that would require the current access control policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current access control procedures are reviewed and updated is defined;] and following [events that would require procedures to be reviewed and updated are defined;].
AT-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] awareness and training policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; b: Designate an [an official to manage the awareness and training policy and procedures is defined;] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and c: Review and update the current awareness and training: 1: Policy [the frequency at which the current awareness and training policy is reviewed and updated is defined;] and following [events that would require the current awareness and training policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current awareness and training procedures are reviewed and updated is defined;] and following [events that would require procedures to be reviewed and updated are defined;].
AU-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] audit and accountability policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; b: Designate an [an official to manage the audit and accountability policy and procedures is defined;] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and c: Review and update the current audit and accountability: 1: Policy [the frequency at which the current audit and accountability policy is reviewed and updated is defined;] and following [events that would require the current audit and accountability policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current audit and accountability procedures are reviewed and updated is defined;] and following [events that would require audit and accountability procedures to be reviewed and updated are defined;].
AU-2	a: Identify the types of events that the system is capable of logging in support of the audit function: [the event types that the system is capable of logging in support of the audit function are defined;]; b: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c: Specify the following event types for logging within the system: [one of ]; d: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e: Review and update the event types selected for logging [the frequency of event types selected for logging are reviewed and updated;].
CA-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] assessment, authorization, and monitoring policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; b: Designate an [an official to manage the assessment, authorization, and monitoring policy and procedures is defined;] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and c: Review and update the current assessment, authorization, and monitoring: 1: Policy [the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;] and following [events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;] and following [events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;].
CA-7	Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a: Establishing the following system-level metrics to be monitored: [system-level metrics to be monitored are defined;]; b: Establishing [frequencies at which to monitor control effectiveness are defined;] for monitoring and [frequencies at which to assess control effectiveness are defined;] for assessment of control effectiveness; c: Ongoing control assessments in accordance with the continuous monitoring strategy; d: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e: Correlation and analysis of information generated by control assessments and monitoring; f: Response actions to address results of the analysis of control assessment and monitoring information; and g: Reporting the security and privacy status of the system to [one of ] [one of ].
CM-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] configuration management policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; b: Designate an [an official to manage the configuration management policy and procedures is defined;] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and c: Review and update the current configuration management: 1: Policy [the frequency at which the current configuration management policy is reviewed and updated is defined;] and following [events that would require the current configuration management policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current configuration management procedures are reviewed and updated is defined;] and following [events that would require configuration management procedures to be reviewed and updated are defined;].
CP-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] contingency planning policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b: Designate an [an official to manage the contingency planning policy and procedures is defined;] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c: Review and update the current contingency planning: 1: Policy [the frequency at which the current contingency planning policy is reviewed and updated is defined;] and following [events that would require the current contingency planning policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current contingency planning procedures are reviewed and updated is defined;] and following [events that would require procedures to be reviewed and updated are defined;].
IA-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] identification and authentication policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; b: Designate an [an official to manage the identification and authentication policy and procedures is defined;] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and c: Review and update the current identification and authentication: 1: Policy [the frequency at which the current identification and authentication policy is reviewed and updated is defined;] and following [events that would require the current identification and authentication policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current identification and authentication procedures are reviewed and updated is defined;] and following [events that would require identification and authentication procedures to be reviewed and updated are defined;].
IR-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] incident response policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; b: Designate an [an official to manage the incident response policy and procedures is defined;] to manage the development, documentation, and dissemination of the incident response policy and procedures; and c: Review and update the current incident response: 1: Policy [the frequency at which the current incident response policy is reviewed and updated is defined;] and following [events that would require the current incident response policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current incident response procedures are reviewed and updated is defined;] and following [events that would require the incident response procedures to be reviewed and updated are defined;].
IR-6	a: Require personnel to report suspected incidents to the organizational incident response capability within [time period for personnel to report suspected incidents to the organizational incident response capability is defined;] ; and b: Report incident information to [authorities to whom incident information is to be reported are defined;].
IR-8	a: Develop an incident response plan that: 1: Provides the organization with a roadmap for implementing its incident response capability; 2: Describes the structure and organization of the incident response capability; 3: Provides a high-level approach for how the incident response capability fits into the overall organization; 4: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5: Defines reportable incidents; 6: Provides metrics for measuring the incident response capability within the organization; 7: Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8: Addresses the sharing of incident information; 9: Is reviewed and approved by [personnel or roles that review and approve the incident response plan is/are identified;] [the frequency at which to review and approve the incident response plan is defined;] ; and 10: Explicitly designates responsibility for incident response to [entities, personnel, or roles with designated responsibility for incident response are defined;]. b: Distribute copies of the incident response plan to [incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;]; c: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; d: Communicate incident response plan changes to [one of ] ; and e: Protect the incident response plan from unauthorized disclosure and modification.
MA-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] maintenance policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; b: Designate an [an official to manage the maintenance policy and procedures is defined;] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and c: Review and update the current maintenance: 1: Policy [the frequency with which the current maintenance policy is reviewed and updated is defined;] and following [events that would require the current maintenance policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency with which the current maintenance procedures are reviewed and updated is defined;] and following [events that would require the maintenance procedures to be reviewed and updated are defined;].
MA-3	a: Approve, control, and monitor the use of system maintenance tools; and b: Review previously approved system maintenance tools [frequency at which to review previously approved system maintenance tools is defined;].
MP-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] media protection policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; b: Designate an [an official to manage the media protection policy and procedures is defined;] to manage the development, documentation, and dissemination of the media protection policy and procedures; and c: Review and update the current media protection: 1: Policy [the frequency with which the current media protection policy is reviewed and updated is defined;] and following [events that would require the current media protection policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency with which the current media protection procedures are reviewed and updated is defined;] and following [events that would require media protection procedures to be reviewed and updated are defined;].
PE-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] physical and environmental protection policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; b: Designate an [an official to manage the physical and environmental protection policy and procedures is defined;] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and c: Review and update the current physical and environmental protection: 1: Policy [the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;] and following [events that would require the current physical and environmental protection policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;] and following [events that would require the physical and environmental protection procedures to be reviewed and updated are defined;].
PL-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] planning policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the planning policy and the associated planning controls; b: Designate an [an official to manage the planning policy and procedures is defined;] to manage the development, documentation, and dissemination of the planning policy and procedures; and c: Review and update the current planning: 1: Policy [the frequency with which the current planning policy is reviewed and updated is defined;] and following [events that would require the current planning policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency with which the current planning procedures are reviewed and updated is defined;] and following [events that would require procedures to be reviewed and updated are defined;].
PM-1	a: Develop and disseminate an organization-wide information security program plan that: 1: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3: Reflects the coordination among organizational entities responsible for information security; and 4: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b: Review and update the organization-wide information security program plan [the frequency at which to review and update the organization-wide information security program plan is defined;] and following [events that trigger the review and update of the organization-wide information security program plan are defined;] ; and c: Protect the information security program plan from unauthorized disclosure and modification.
PS-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] personnel security policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; b: Designate an [an official to manage the personnel security policy and procedures is defined;] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and c: Review and update the current personnel security: 1: Policy [the frequency at which the current personnel security policy is reviewed and updated is defined;] and following [events that would require the current personnel security policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current personnel security procedures are reviewed and updated is defined;] and following [events that would require the personnel security procedures to be reviewed and updated are defined;].
PT-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] personally identifiable information processing and transparency policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; b: Designate an [an official to manage the personally identifiable information processing and transparency policy and procedures is defined;] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and c: Review and update the current personally identifiable information processing and transparency: 1: Policy [the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined;] and following [events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined;] and following [events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined;].
RA-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] risk assessment policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; b: Designate an [an official to manage the risk assessment policy and procedures is defined;] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and c: Review and update the current risk assessment: 1: Policy [the frequency at which the current risk assessment policy is reviewed and updated is defined;] and following [events that would require the current risk assessment policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current risk assessment procedures are reviewed and updated is defined;] and following [events that would require risk assessment procedures to be reviewed and updated are defined;].
RA-5	a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported; b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyze vulnerability scan reports and results from vulnerability monitoring; d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk; e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
SA-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] system and services acquisition policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; b: Designate an [an official to manage the system and services acquisition policy and procedures is defined;] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and c: Review and update the current system and services acquisition: 1: Policy [the frequency at which the current system and services acquisition policy is reviewed and updated is defined;] and following [events that would require the current system and services acquisition policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;] and following [events that would require the system and services acquisition procedures to be reviewed and updated are defined;].
SA-11	Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a: Develop and implement a plan for ongoing security and privacy control assessments; b: Perform [one or more of "unit"/"integration"/"system"/"regression"] testing/evaluation [frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;] at [depth and coverage of {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;]; c: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d: Implement a verifiable flaw remediation process; and e: Correct flaws identified during testing and evaluation.
SA-15	a: Require the developer of the system, system component, or system service to follow a documented development process that: 1: Explicitly addresses security and privacy requirements; 2: Identifies the standards and tools used in the development process; 3: Documents the specific tool options and tool configurations used in the development process; and 4: Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b: Review the development process, standards, tools, tool options, and tool configurations [frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [one of ].
SC-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business-process-level"/"system-level"] system and communications protection policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; b: Designate an [an official to manage the system and communications protection policy and procedures is defined;] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and c: Review and update the current system and communications protection: 1: Policy [the frequency at which the current system and communications protection policy is reviewed and updated is defined;] and following [events that would require the current system and communications protection policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current system and communications protection procedures are reviewed and updated is defined;] and following [events that would require the system and communications protection procedures to be reviewed and updated are defined;].
SI-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] system and information integrity policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b: Designate an [an official to manage the system and information integrity policy and procedures is defined;] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c: Review and update the current system and information integrity: 1: Policy [the frequency at which the current system and information integrity policy is reviewed and updated is defined;] and following [events that would require the current system and information integrity policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current system and information integrity procedures are reviewed and updated is defined;] and following [events that would require the system and information integrity procedures to be reviewed and updated are defined;].
SR-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] supply chain risk management policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; b: Designate an [an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and c: Review and update the current supply chain risk management: 1: Policy [the frequency at which the current supply chain risk management policy is reviewed and updated is defined;] and following [events that require the current supply chain risk management policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;] and following [events that require the supply chain risk management procedures to be reviewed and updated are defined;].
SR-8	Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [one or more of "notification of supply chain compromises"/"{{ insert: param, sr-08_odp.02 }} "].

Enhancements

The controls below (if any) add on to the requirements of SI-2(7).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SI-2(7).

CCI	Definition
No CCIs