GV.SC-05:

Implementation Examples

Ex1: 

Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised

Ex2: 

Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language

Ex3: 

Define the rules and protocols for information sharing between the organization and its suppliers and sub-tier suppliers in agreements

Ex4: 

Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised

Ex5: 

Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle

Ex6: 

Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service

Ex7: 

Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products

Ex8: 

Contractually require suppliers to vet their employees and guard against insider threats

Ex9: 

Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections

Ex10: 

Specify in contracts and other agreements the rights and responsibilities of the organization, its suppliers, and their supply chains, with respect to potential cybersecurity risks