IR-1(1)—Enterprises should ensure that their incident response policies and procedures provide guidance o...
>Control Description
Enterprises should ensure that their incident response policies and procedures provide guidance on effective information sharing of incidents and other key risk indicators in the supply chain. Guidance should – at a minimum – cover the collection, synthesis, and distribution of incident information from a diverse set of data sources, such as public data repositories, paid subscription services, and in-house threat intelligence teams.
Enterprises that operate in the public sector should include specific guidance on when and how to communicate with interagency partnerships, such as the FASC (Federal Acquisition Security Council) and other stakeholders or partners within the broader supply chain, in the event of a cyber threat or incident. Departments and agencies must notify the FASC of supply chain risk information when:
1) The FASC requests information relating to a particular source or covered article, or
2) An executive agency has determined that there is a reasonable basis to conclude that a substantial supply chain risk associated with a source, covered procurement, or covered article exists.
In such instances, the executive agency shall provide the FASC with relevant information concerning the source or covered article, including:
1) Supply chain risk information identified through the course of the agency’s activities in furtherance of mitigating, identifying, or managing its supply chain risk and
2) Supply chain risk information regarding covered procurement actions by the agency under the Federal Acquisition Supply Chain Security Act of 2018 (FASCSA) 41 U.S.C. § 4713; and any orders issued by the agency under 41 U.S.C. § 4713.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.