>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

KSI-SCR-MITMitigating Supply Chain Risk

LOW
MODERATE

Formerly KSI-TPR-03

>Control Description

Persistently identify, review, and mitigate potential supply chain risks.
Defined terms:
Persistently

>NIST 800-53 Controls

ac-20
ra-3.1
sa-9
sa-10
sa-11
sa-15.3
sa-22
si-7.1
sr-5
sr-6
ca-7.4
sc-18

>Trust Center Components
5

Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.

From the field: Strong implementations enforce supply chain security through automated tooling — SBOM scanning in CI/CD pipelines, dependency vulnerability analysis via Dependabot or Snyk, and vendor assessment automation that flags non-compliant suppliers before contracts are signed. The trust center expresses proactive third-party risk management through enforcement evidence, not just contractual requirements.

Supply Chain Risk Dashboard

Dashboards

Dashboard expressing supply chain risk posture — vendor assessment status, SBOM vulnerability trends, and third-party compliance gaps

Supply Chain Enforcement

Product Security Features

Automated enforcement of supply chain security requirements — validates dependencies and vendor compliance before deployment

Automated: CI/CD pipeline logs show dependency scanning results and policy enforcement decisions

Third-Party Audit Results

Evidence Artifacts

Evidence from third-party vendor audits and security assessments demonstrating supply chain due diligence

Manual: Auditor reviews vendor assessment reports for completeness and finding remediation

Supply Chain Risk Assessment Process

Processes & Procedures

How the organization assesses supply chain risks including due diligence criteria and continuous monitoring approach

Supply Chain Security Policy

Policies

Human-readable documentation of the organization's supply chain risk assessment approach — the rationale behind automated enforcement

>Programmatic Queries

Beta
CI/CD

CLI Commands

Export SBOM for dependency analysis
gh api repos/{owner}/{repo}/dependency-graph/sbom --jq '.sbom | {name: .name, packages: [.packages[] | {name,versionInfo,supplier}]}'
Check dependency review status
gh api repos/{owner}/{repo}/dependency-graph/compare/main...HEAD --jq '.[].{change,manifest,package_url,vulnerabilities}' 2>/dev/null || echo "Use on PR branches"
GitHub CLI Documentation

>20x Assessment Focus Areas

Aligned with FedRAMP 20x Phase Two assessment methodology

Completeness & Coverage:

  • Does your supply chain risk management cover all supplier categories — open-source libraries, commercial software vendors, cloud infrastructure providers, managed service providers, and SaaS integrations?
  • How do you assess supply chain risks beyond vulnerability management — including vendor viability, geopolitical risk, single-source dependencies, and build pipeline integrity?
  • Are there suppliers or third-party components that have not been subject to risk assessment, and how are those gaps identified and tracked?
  • How do you ensure supply chain risk mitigation extends to build infrastructure — ensuring CI/CD pipelines, package registries, and artifact repositories are not compromised?

Automation & Validation:

  • What automated tools verify the integrity of third-party components before they are incorporated — signature verification, provenance attestation (SLSA), or hash validation?
  • How do you detect supply chain attacks such as dependency confusion, typosquatting, or compromised maintainer accounts?
  • What automated monitoring alerts when a supplier's security posture changes — for example, a vendor loses a certification, experiences a breach, or changes ownership?
  • How do you validate that mitigations for identified supply chain risks are effective — through testing, monitoring, or periodic reassessment?

Inventory & Integration:

  • How do you maintain an inventory of all third-party suppliers and components in your supply chain, including their risk ratings and assessment status?
  • What tools support supply chain risk assessment (vendor risk management platforms, SCA tools, SBOM analysis, threat intelligence feeds)?
  • How does supply chain risk data integrate with your overall risk register and vulnerability management program?
  • Are third-party component provenance and integrity verification integrated into your CI/CD pipeline as mandatory gates?

Continuous Evidence & Schedules:

  • How frequently are supply chain risks reassessed, and what evidence demonstrates persistent identification and review?
  • Is supply chain risk data (supplier inventory, risk ratings, assessment dates, mitigation status) available via API or dashboard?
  • What evidence shows supply chain risk mitigations have been implemented and are effective — not just documented but operational?
  • How do you detect new supply chain risks introduced by developer choices — for example, when a new dependency is added that has not been vetted?

Update History

2026-02-04Renamed theme to Supply Chain Risk; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Ask AI

Configure your API key to use AI features.