← Back to catalog
SR-6

Supplier Assessments and Reviews

Supply Chain Risk Management (SR)
Baselines
Low · Not includedModerate · IncludedHigh · Included
Description

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [assignment].

Discussion

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

Implementation guidance

No content available.

CSF 2.0 crosswalk
GV.OC-02Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and consideredGovern
GV.OV-01Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and directionGovern
GV.OV-02The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risksGovern
GV.OV-03Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments neededGovern
GV.SC-04Suppliers are known and prioritized by criticalityGovern
GV.SC-05Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third partiesGovern
GV.SC-06Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationshipsGovern
GV.SC-07The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationshipGovern
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycleGovern
GV.SC-10Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreementGovern
ID.RA-09The authenticity and integrity of hardware and software are assessed prior to acquisition and useIdentify
ID.RA-10Critical suppliers are assessed prior to acquisitionIdentify