← Back to catalog
SR-8
Notification Agreements
Supply Chain Risk Management (SR)
Baselines
Low · IncludedModerate · IncludedHigh · Included
Description
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [assignment].
Discussion
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.
Implementation guidance
No content available.
CSF 2.0 crosswalk
GV.OC-02Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and consideredGovern
GV.SC-08Relevant suppliers and other third parties are included in incident planning, response, and recovery activitiesGovern
RC.CO-03Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholdersRecover
RS.CO-02Internal and external stakeholders are notified of incidentsRespond
RS.CO-03Information is shared with designated internal and external stakeholdersRespond
RS.MA-01The incident response plan is executed in coordination with relevant third parties once an incident is declaredRespond