Implementation Objective
Reduce external dependency risk through supplier tiering, lifecycle assurance checks, and continuous monitoring.
NIST CSF 2.0 Category
GV.SC Cybersecurity Supply Chain Risk Management
GV Govern | Manage third-party and supply chain risk using risk-tiered oversight.
Implementation Actions
- Tier suppliers by criticality.
- Define onboarding and renewal checks.
- Reassess high-risk providers periodically.
Evidence Examples
- Vendor inventory and tiers
- Security review records
- Contract security requirements
Suggested Metrics
- Critical providers with current assessment
- Closure time for high-risk vendor findings
Framework Crosswalk
Direct mappings for this CSF category into NIST SP 800-171 family sections and CIS Controls v8 implementation domains.