← Back to catalog
SR-5

Acquisition Strategies, Tools, and Methods

Supply Chain Risk Management (SR)
Baselines
Low · IncludedModerate · IncludedHigh · Included
Description

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [assignment].

Discussion

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

Implementation guidance

No content available.

CSF 2.0 crosswalk
GV.OC-02Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and consideredGovern
GV.OC-05Outcomes, capabilities, and services that the organization depends on are understood and communicatedGovern
GV.SC-02Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externallyGovern
GV.SC-05Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third partiesGovern
GV.SC-06Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationshipsGovern
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycleGovern
GV.SC-10Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreementGovern
ID.AM-08Systems, hardware, software, services, and data are managed throughout their life cyclesIdentify
ID.IM-01Improvements are identified from evaluationsIdentify
ID.IM-02Identify
ID.IM-03Improvements are identified from execution of operational processes, procedures, and activitiesIdentify
ID.RA-09The authenticity and integrity of hardware and software are assessed prior to acquisition and useIdentify