Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. from Cybersecurity Fundamentals framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders

ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process

ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers

Maturity Level 2

Maturity Level 3

ID.SC-3.1

ID.SC-3.1: Based on the results of the cyber supply chain risk assessment, a contractual framework for suppliers and external partners shall be established to address sharing of sensitive information and distributed and interconnected ICT/OT products and services.

Entities not subject to the NIS legislation should consider business critical suppliers and third-party partners only.
Keep in mind that GDPR requirements need to be fulfilled when business information contains personal data (applicable on all levels), i.e. security measures need to be addressed in the contractual framework.

Description

Based on the results of the cyber supply chain risk assessment, a contractual framework for suppliers and external partners shall be established to address sharing of sensitive information and distributed and interconnected ICT/OT products and services.

ID.SC-3.2

ID.SC-3.2: Contractual information security and cybersecurity’ requirements for suppliers and third-party partners shall be implemented to ensure a verifiable flaw remediation process, and to ensure the correction of flaws identified during ‘information security and cybersecurity’ testing and evaluation.

Information systems containing software (or firmware) affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) should be identified.
Newly released security relevant patches, service packs, and hot fixes should be installed, and these patches, service packs, and hot fixes are tested for effectiveness and potential side effects on the organization’s information systems before installation. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling are also addressed expeditiously. Flaw remediation should be incorporated into configuration management as an emergency change.

Description

Contractual information security and cybersecurity’ requirements for suppliers and third-party partners shall be implemented to ensure a verifiable flaw remediation process, and to ensure the correction of flaws identified during ‘information security and cybersecurity’ testing and evaluation.

ID.SC-3.3

ID.SC-3.3: The organization shall establish contractual requirements permitting the organization to review the ‘information security and cybersecurity’ programs implemented by suppliers and third-party partners.

Description

The organization shall establish contractual requirements permitting the organization to review the ‘information security and cybersecurity’ programs implemented by suppliers and third-party partners.