Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: (H) organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures] as part of a comprehensive, defense-in-breadth information security strategy.
NIST 800-53 (r4) Supplemental Guidance:
Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR-4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7.
NIST 800-53 (r5) Discussion:
[None. Withdrawn: Incorporated into SR Family.]
38North Guidance:
Meets Minimum Requirement:
Develop and implement a Supply Chain Risk Management Program that includes reviewing all external vendors/contractors/suppliers that provide a service to the CSP.
Develop contractor personnel security requirements.
Perform risk assessments on all external vendors/contractors/suppliers and develop an approved HW/SW vendor list.
Bake-in the Supply Chain Risk Management Program as part of the System Development Lifecycle (SDLC).
Best Practice:
Incorporate the Supplier Risk Management Program during the initial stages of the SDLC (e.g., requirements analysis/initial design/etc.).
Products that require security testing by the vendor must be verified as part of the vendor's risk assessment.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Documented evidence of the Supply Chain Risk Management Framework detailing the process(es) for implementing security mechanisms and requirements for vendor approval, vendor security personnel support, how it fits into the organization's SDLC, etc.
Evidence of a documented list of approved vendors/products.
Risk assessments performed for each vendor along with the resultant risk assessment report.
Evidence showing how supply chain threats are prevented to the information system, it's components and services using security safeguards.
CSP Implementation Tips:
None.
Page updated
Report abuse