SA-12 — Supply Chain Protection

This control (moved to SR family in Rev 5) addresses supply chain protection — ensuring that the products and services you acquire are not compromised during development, manufacturing, or delivery.

Example 1: Implement a supply chain risk management program that evaluates vendors before purchase, monitors them during the relationship, and includes contractual provisions for security requirements, incident notification, and right to audit. Focus your efforts on vendors that provide critical or high-risk components.

Example 2: Require Software Bills of Materials (SBOMs) from software vendors and scan them for known vulnerabilities using tools like Dependabot or Snyk. Track vendor security advisories and apply patches within defined timelines. Verify the integrity of delivered products using digital signatures and checksums.