Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process from Cybersecurity Fundamentals framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders

ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process

ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers

Maturity Level 2

Maturity Level 3

ID.SC-2.1

ID.SC-2.1: The organization shall conduct cyber supply chain risk assessments at least annually or when a change to the organization’s critical systems, operational environment, or supply chain occurs; These assessments shall be documented, and the results disseminated to relevant stakeholders including those responsible for ICT/OT systems.

This assessment should identify and prioritize potential negative impacts to the organization from the risks associated with the distributed and interconnected nature of ICT/OT product and service supply chains.

Description

The organization shall conduct cyber supply chain risk assessments at least annually or when a change to the organization’s critical systems, operational environment, or supply chain occurs; These assessments shall be documented, and the results disseminated to relevant stakeholders including those responsible for ICT/OT systems.

ID.SC-2.2

ID.SC-2.2: A documented list of all the organization’s suppliers, vendors and partners who may be involved in a major incident shall be established, kept up-to-date and made available online and offline.

This list should include suppliers, vendors and partners contact information and the services they provide, so they can be contacted for assistance in the event of an outage or service degradation.

Description

A documented list of all the organization’s suppliers, vendors and partners who may be involved in a major incident shall be established, kept up-to-date and made available online and offline.