>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PL-8(2)Security and Privacy Architectures | Supplier Diversity

IL5
IL6

>Control Description

Require that organization-defined controls allocated to organization-defined locations and architectural layers are obtained from different suppliers.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Information technology products have different strengths and weaknesses. Providing a broad spectrum of products complements the individual offerings. For example, vendors offering malicious code protection typically update their products at different times, often developing solutions for known viruses, Trojans, or worms based on their priorities and development schedules.

By deploying different products at different locations, there is an increased likelihood that at least one of the products will detect the malicious code. With respect to privacy, vendors may offer products that track personally identifiable information in systems. Products may use different tracking methods.

Using multiple products may result in more assurance that personally identifiable information is inventoried.

>Related Controls

SC-29
SR-3

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of supplier diversity across organizational systems?
  • Who is responsible for supplier diversity activities and oversight?
  • What is the process for documenting and approving supplier diversity?
  • How frequently are supplier diversity activities reviewed and updated?
  • What governance exists for ensuring supplier diversity aligns with organizational objectives and risk management strategy?

Technical Implementation:

  • What systems or tools support the technical implementation of supplier diversity?
  • How is supplier diversity information integrated with other system documentation or repositories?
  • What automation exists for supplier diversity activities?
  • How are supplier diversity artifacts version-controlled and maintained?
  • What technical workflows enforce supplier diversity requirements?

Evidence & Documentation:

  • Provide documented policies and procedures for supplier diversity.
  • Provide artifacts demonstrating supplier diversity implementation.
  • Provide evidence of supplier diversity review and approval.
  • Provide records of supplier diversity updates and version control.
  • Provide documentation showing supplier diversity integration with system authorization.

Ask AI

Configure your API key to use AI features.