SA-12(5) — Limitation of Harm

Limit the potential harm from a supply chain compromise by reducing the access and privileges granted to vendor-supplied components and services.

Example 1: Run vendor-supplied software with minimum privileges. If a monitoring agent only needs read access to system metrics, do not give it administrator access. Apply the principle of least privilege to vendor service accounts, network access, and data permissions.

Example 2: Segment vendor-supplied systems on your network so that a compromise of one vendor's product does not give the attacker access to your entire environment. Place vendor management consoles and agent communication channels on a dedicated management VLAN with restricted access to production systems.