SR-13—a
>Control Description
Develop, document, and maintain an inventory of suppliers that:
Accurately and minimally reflects the organization’s tier one suppliers that may present a cybersecurity risk in the supply chain ⚙organization-defined parameters for determining tier one supply chain;
Is at the level of granularity deemed necessary for assessing criticality and supply chain risk, tracking, and reporting;
Documents the following information for each tier one supplier (e.g., prime contractor): review and update supplier inventory ⚙enterprise-defined frequency.
Unique identify for procurement instrument (i.e., contract, task, or delivery order); ii. Description of the supplied products and/or services; iii. Program, project, and/or system that uses the supplier’s products and/or services; and iv. Assigned criticality level that aligns to the criticality of the program, project, and/or system (or component of system).
Review and update the supplier inventory ⚙enterprise-defined frequency. Enterprises rely on numerous suppliers to execute their missions and functions. Many suppliers provide products and services in support of multiple missions, functions, programs, projects, and systems. Some suppliers are more critical than others, based on the criticality of missions, functions, programs, projects, systems that their products and services support, and the enterprise’s level of dependency on the supplier. Enterprises should use criticality analysis to help determine which products and services are critical to determine the criticality of suppliers to be documented in the supplier inventory. See Section 2, Appendix C, and RA-9 for guidance on conducting criticality analysis.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.