>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SR-8Notification Agreements

LI-SaaS
Low
Moderate
High

>Control Description

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (one or more): notification of supply chain compromises; results of assessments or audits; organization-defined information].

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

SR-8 Requirement: CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

>Discussion

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

>Cross-Framework Mappings

SCF

TPM-05.1
Compare

>Programmatic Queries

Beta

Related Services

Amazon SNS
AWS Health
Amazon EventBridge

CLI Commands

List SNS topics for notifications
aws sns list-topics
List AWS Health events (service incidents)
aws health describe-events --filter '{"eventTypeCategories":["issue"]}'
List EventBridge rules for supply chain alerts
aws events list-rules --name-prefix security
List SNS subscriptions for notification routing
aws sns list-subscriptions
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-8?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?
  • How do you track and verify the provenance of system components?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?
  • Can you show component inventory and validation records?

Ask AI

Configure your API key to use AI features.