>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IR-6(3)Incident Reporting | Supply Chain Coordination

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities.

Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident.

>Programmatic Queries

Beta

Related Services

AWS Security Hub
AWS Resource Sharing
AWS Marketplace

CLI Commands

Create Security Hub to share incident findings
aws securityhub batch-import-findings --findings file://supply-chain-findings.json
Share Security Hub findings with partner
aws securityhub enable-organization-admin-account --admin-account-id 123456789012
Create resource share for supply chain partners
aws ram create-resource-share --name supply-chain-incidents --resource-arns arn:aws:securityhub:us-east-1:123456789012:hub/default --principals arn:aws:iam::PARTNER_ACCOUNT:root
Enable supply chain incident notifications
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:123456789012:supply-chain-incidents --protocol email --notification-endpoint partner@supplier.com
Open AWS ConsoleDocumentation

>Related Controls

SR-8

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IR-6(3) (Supply Chain Coordination)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IR-6(3)?
  • How frequently is the IR-6(3) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IR-6(3) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IR-6(3) requirements.
  • What automated tools, systems, or technologies are deployed to implement IR-6(3)?
  • How is IR-6(3) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IR-6(3) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IR-6(3)?
  • What audit logs, records, reports, or monitoring data validate IR-6(3) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IR-6(3) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IR-6(3) compliance?

Ask AI

Configure your API key to use AI features.