myctrl.tools
Compare

SR-06Supplier Assessments and Reviews

Moderate

>Control Description

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide organization-defined frequency.

>Discussion

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor.

Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What supply chain risk management policies address SR-6?
  • Who is responsible for managing supply chain risks?
  • How do you assess and monitor risks from suppliers, vendors, and contractors?
  • How do you evaluate and select suppliers based on security criteria?

Technical Implementation:

  • What processes ensure that supply chain components meet security requirements?
  • How do you verify the authenticity and integrity of acquired components?
  • What controls prevent counterfeit or malicious components from entering your supply chain?
  • How do you track and verify the provenance of system components?
  • What anti-counterfeit measures are in place?

Evidence & Documentation:

  • Can you provide supply chain risk assessments?
  • What documentation demonstrates supplier compliance with security requirements?
  • Where do you maintain records of supplier assessments and component provenance?
  • Can you provide recent supplier security assessment reports?
  • Can you show component inventory and validation records?

Ask AI

Configure your API key to use AI features.