>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IR-1Policy And Procedures

>Control Description

Enterprises should integrate C-SCRM into incident response policy and procedures, and related C-SCRM Strategy/Implementation Plans and Policies. The policy and procedures must provide direction for how to address supply chain-related incidents and cybersecurity incidents that may complicate or impact the supply chain. Individuals who work within specific mission and system environments need to recognize cybersecurity supply chain-related incidents. The incident response policy should state when and how threats and incidents should be handled, reported, and managed. Additionally, the policy should define when, how, and with whom to communicate to the FASC (Federal Acquisition Security Council) and other stakeholders or partners within the broader supply chain in the event of a cyber threat or incident. Departments and agencies must notify the FASC of supply chain risk information when the FASC requests information relating to a particular source, covered article, or procures or an executive agency has determined that there is a reasonable basis to conclude a substantial supply chain risk associated with a source, covered procurement, or covered article exists. In such instances, the executive agency shall provide the FASC with relevant information concerning the source or covered article, including 1) the supply chain risk information identified through the course of the agency’s activities in furtherance of mitigating, identifying, or managing its supply chain risk and 2) the supply chain risk information regarding covered procurement actions by the agency under the Federal Acquisition Supply Chain Security Act of 2018 (FASCSA) 41 U.S.C. § 4713; and any orders issued by the agency under 41 U.S.C. § 4713. Bidirectional communication with supply chain partners should be defined in agreements with suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers to inform all involved parties of a supply chain cybersecurity incident. Incident information may also be shared with enterprises such as the Federal Bureau of Investigation (FBI), US CERT (United States Computer Emergency Readiness Team), and the NCCIC (National Cybersecurity and Communications Integration Center) as appropriate. Depending on the severity of the incident, the need for accelerated communications up and down the supply chain may be necessary. Appropriate agreements should be put in place with suppliers, developers, system integrators, external system service providers, and other ICT/OTrelated service providers to ensure speed of communication, response, corrective actions, and other related activities. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors. In Level 2 and Level 3, procedures and enterprise-specific incident response methods must be in place, training completed (consider including Operations Security [OPSEC] and any appropriate threat briefing in training), and coordinated communication established throughout the supply chain to ensure an efficient and coordinated incident response effort.

>Cross-Framework Mappings

SCF

GOV-02
Compare
IRO-01
Compare
IRO-04.2
Compare
IRO-13
Compare
GOV-03
Compare

Ask AI

Configure your API key to use AI features.