supply-chain Controls

Third-party vendors are required to meet minimum security standards

Third-party software and services are inventoried and assessed for risk

Vendor contracts include minimum cybersecurity requirements

External service provider activities and services are monitored to detect potentially adverse events

A cybersecurity supply chain risk management program is established

Supply chain risk management plans include provisions for activities after a supplier relationship ends

Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated

Supply chain risk management is integrated into enterprise risk management processes

Suppliers are known and prioritized by criticality

Cybersecurity requirements are integrated into contracts with suppliers

Due diligence is performed before entering into supplier relationships

Risks from suppliers are assessed, monitored, and responded to throughout the relationship

Relevant suppliers are included in incident planning, response, and recovery activities

Supply chain security practices are monitored throughout the technology product and service life cycle

Critical suppliers are assessed prior to acquisition

The authenticity and integrity of hardware and software are assessed prior to acquisition and use

Third-party vendor risk is assessed and managed