GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
Ex1: Policies and procedures require provenance records for all acquired technology products and services
Ex2: Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic
Ex3: Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software providers
Ex4: Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products
Ex5: Policies and procedure require checking upgrades to critical hardware for unauthorized changes
Tier
Description
Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle