NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT
SR-8 — Notification Agreements
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.
Supplemental Guidance
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.
Practitioner Notes
Establish notification agreements with your suppliers that require them to alert you promptly about security incidents, vulnerabilities, or supply chain disruptions that could affect your organization.
Example 1: Include a clause in all vendor contracts requiring notification within 24-72 hours of any security incident that could affect your data or services. Define what constitutes a reportable incident and specify the notification method (email, phone, both).
Example 2: Require software vendors to notify you of vulnerabilities in their products before or simultaneously with public disclosure. This gives you time to prepare patches and mitigations before attackers start exploiting the vulnerability.