Framework Category
Cybersecurity Supply Chain Risk Management
Cybersecurity Supply Chain Risk Management addresses risks posed by third-party relationships through defined policies, roles, and procedures.
It involves assessing and managing supplier risks across the full lifecycle—from onboarding to offboarding—ensuring integration with broader cybersecurity and enterprise risk strategies, and including suppliers in incident response and recovery planning.
Implementation Questions
GV.SC-01
A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
A cybersecurity supply chain risk management strategy defines how your organization identifies, assesses, and mitigates risks from third-party vendors, suppliers, and partners who have access to your systems or data. This strategy should outline specific objectives, risk tolerance levels, and approaches for managing supply chain security risks throughout the vendor lifecycle. Without clear objectives, organizations often take an inconsistent approach to supply chain security, potentially leaving critical vulnerabilities unaddressed.
Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
A cybersecurity supply chain risk management program helps identify, assess, and mitigate risks from third-party vendors, suppliers, and service providers that may have access to your systems or data. This program should include formal policies defining roles and responsibilities, procedures for vendor assessment and monitoring, and a roadmap for continuous improvement with clear milestones.
Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
This question assesses whether your cybersecurity supply chain risk management program, has been properly operationalized through defined processes that connect strategic goals to actual implementation. These processes should be formally documented, agreed upon by relevant stakeholders, and actively performed across the organization. Without this alignment, security initiatives may lack direction, coordination, and organizational buy-in.
Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
A cross-functional cybersecurity supply chain risk management team ensures that all relevant departments (IT, security, legal, procurement, etc.) collaborate to identify, assess, and mitigate supply chain security risks. This coordination prevents siloed approaches that might miss critical vulnerabilities and ensures consistent security practices across the supply chain ecosystem.
GV.SC-02
Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
Establishing clear ownership for supply chain risk management ensures accountability and prevents critical security tasks from falling through organizational gaps. These designated roles should have defined responsibilities for identifying, assessing, and mitigating risks from third-party vendors, suppliers, and service providers throughout the supply chain lifecycle.
Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?
This question assesses whether your organization has clearly defined who is responsible for managing cybersecurity risks associated with your supply chain and vendors. Documenting these roles ensures accountability, prevents gaps in oversight, and establishes clear procedures for addressing supply chain security incidents or vulnerabilities.
Has your organization established a responsibility matrix that clearly defines roles for cybersecurity supply chain risk management activities?
A responsibility matrix (such as RACI - Responsible, Accountable, Consulted, Informed) documents which teams or individuals are responsible for specific supply chain security activities, ensuring clear ownership and communication channels. This prevents critical security tasks from falling through the cracks and establishes accountability for supply chain risk management across the organization.
Are cybersecurity supply chain risk management responsibilities and performance requirements explicitly included in relevant job descriptions and personnel documentation?
Including specific cybersecurity supply chain risk management responsibilities in job descriptions creates clear accountability and ensures staff understand their security obligations when dealing with vendors and third parties. This practice helps organizations operationalize supply chain security by making it part of formal role expectations rather than an implicit or ad-hoc responsibility.
Has your organization established documented performance goals for personnel with cybersecurity risk management responsibilities, and do you periodically measure performance against these goals?
This question assesses whether your organization has formalized expectations for cybersecurity personnel and tracks their performance to ensure continuous improvement in risk management activities. Performance goals should be specific, measurable, and aligned with your organization's overall security objectives, such as reducing incident response time, improving vulnerability remediation rates, or enhancing security awareness training effectiveness.
Has your organization defined and documented roles and responsibilities for cybersecurity risk management in third-party relationships, and integrated these into relevant agreements?
This question assesses whether your organization has clearly established who is responsible for managing cybersecurity risks when working with external parties like suppliers, customers, and business partners. Defining these responsibilities helps prevent security gaps where each party assumes the other is handling a particular security control.
Has your organization clearly communicated the roles and responsibilities for managing cybersecurity supply chain risks related to third parties?
This question assesses whether your organization has established and internally communicated who is responsible for managing cybersecurity risks that come from your supply chain and third-party relationships. Clear role definition ensures accountability for tasks such as vendor risk assessments, contract security requirements, ongoing monitoring, and incident response related to third parties.
Has your organization established formal rules and protocols for information sharing and reporting with suppliers?
This question assesses whether your organization has documented procedures that govern how security information, incidents, vulnerabilities, and updates are shared between your organization and suppliers. These protocols should define what information can be shared, with whom, through which channels, and under what circumstances.
GV.SC-03
Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
Has your organization formally identified and documented areas of alignment and overlap between cybersecurity and enterprise risk management frameworks?
This question assesses whether the organization has systematically analyzed how cybersecurity risks integrate with broader enterprise risk management (ERM) processes. Identifying these alignments helps ensure cybersecurity risks are properly considered within the organization's overall risk appetite and management approach, rather than being treated in isolation.
Has your organization established integrated control sets that address both cybersecurity risk management and cybersecurity supply chain risk management?
Integrated control sets ensure that cybersecurity risk management practices are consistently applied across both internal operations and the supply chain. This approach prevents security gaps that could arise when treating these domains separately and promotes efficiency by avoiding redundant controls. Organizations with mature integrated control sets typically have unified governance frameworks, shared risk assessment methodologies, and consistent security requirements for both internal systems and external suppliers.
Has your organization integrated cybersecurity supply chain risk management into your continuous improvement processes?
This question assesses whether your organization systematically identifies, evaluates, and mitigates security risks from vendors, suppliers, and other third parties as part of your regular improvement cycles. Effective integration means supply chain risks are considered during procurement, vendor selection, contract negotiations, and ongoing vendor management activities, with established processes for regular reassessment and improvement.
Does your organization have a documented process for escalating material cybersecurity risks identified in your supply chain to senior management and addressing them within your enterprise risk management framework?
This question assesses whether the organization has formalized procedures to ensure supply chain cybersecurity risks receive appropriate visibility and treatment at executive levels. Material cybersecurity risks in the supply chain (such as critical vulnerabilities in third-party components, security breaches at key vendors, or compliance issues with suppliers) must be communicated upward to decision-makers who can allocate resources and authorize mitigation strategies.
GV.SC-04
Suppliers are known and prioritized by criticality
Has your organization established formal criteria for determining supplier criticality based on data sensitivity, system access levels, and business impact?
This question assesses whether your organization has a structured approach to categorizing suppliers based on risk factors. Effective supplier criticality criteria should consider what sensitive data suppliers can access, their level of access to your systems, and how essential their services are to your core operations. Without such criteria, organizations may apply inconsistent security controls across their supplier ecosystem, potentially leaving critical vulnerabilities unaddressed.
Does your organization maintain a comprehensive supplier inventory that includes criticality ratings for each supplier?
A supplier inventory helps organizations track all third parties that provide goods or services, while criticality ratings identify which suppliers pose the greatest risk or are most essential to operations. This enables proper allocation of resources for supplier risk management, focusing more attention on high-risk or critical suppliers. For example, a cloud hosting provider might be rated as highly critical, while an office supply vendor might receive a lower criticality rating.
GV.SC-05
Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
Has your organization established security requirements for suppliers, products, and services based on their criticality level and potential impact?
This question assesses whether your organization has a structured approach to managing supply chain security risks by defining requirements proportional to the criticality of each supplier, product, or service. For example, a cloud provider hosting sensitive data would have more stringent security requirements than an office supply vendor. Similarly, critical software components would require more thorough security assessments than non-critical tools.
Does your organization include comprehensive cybersecurity and supply chain requirements in standard contract language with third parties, along with verification methods for compliance?
Third-party relationships often introduce significant security risks when vendors don't maintain the same security standards as your organization. Standard contractual language should clearly define cybersecurity requirements, data handling expectations, incident response obligations, and supply chain security measures that align with your organization's security policies. These requirements should be accompanied by specific verification methods such as audit rights, compliance certifications, or periodic assessments.
Has your organization established formal rules and protocols for information sharing with suppliers and sub-tier suppliers in your contractual agreements?
This question assesses whether your organization has clearly defined how sensitive information should be shared with suppliers throughout your supply chain. Proper information sharing protocols help prevent unauthorized disclosure, ensure appropriate handling of confidential data, and establish clear expectations for all parties involved in the supply chain. These protocols typically include classification of shareable information, secure transmission methods, access controls, and incident reporting requirements.
Does your organization include security requirements in agreements with vendors and partners based on the criticality of the data or systems involved?
Including security requirements in agreements helps ensure that third parties handling your data or accessing your systems maintain appropriate security controls. The level of security requirements should be proportional to the criticality of the data/systems and the potential impact if compromised. For example, a vendor processing sensitive customer data would have stricter requirements than one providing office supplies.
Has your organization defined specific security requirements in service-level agreements (SLAs) that allow for monitoring supplier security performance throughout the relationship lifecycle?
This question assesses whether your organization has established clear security metrics, performance indicators, and compliance requirements within your supplier SLAs. These defined requirements create accountability and provide a framework for ongoing security monitoring of third parties who may have access to your systems or data. For example, an SLA might specify required response times for security incidents, minimum security control standards, or compliance with specific regulations.
Does your organization require suppliers to contractually disclose cybersecurity features, vulnerabilities, and functions of their products/services throughout the entire lifecycle or service term?
This question assesses whether your organization has formal agreements requiring suppliers to provide ongoing transparency about security aspects of their offerings. Without such contractual obligations, suppliers may not disclose known vulnerabilities, security features may go unused, and your organization could remain unaware of critical security information that affects your risk posture.
Do you contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products?
This question assesses whether your organization formally requires suppliers to document and keep updated inventories of all components within critical products. Having a complete bill of materials (BOM) enables you to quickly identify affected systems when vulnerabilities are discovered in specific components, assess supply chain risks, and manage product security throughout its lifecycle.
Does your organization require suppliers to implement employee vetting procedures and insider threat controls in contractual agreements?
This question assesses whether your organization formally requires suppliers to screen their employees and implement safeguards against malicious insider activities through contractual obligations. Supplier employees often have access to your sensitive data or systems, and inadequate vetting by suppliers creates security vulnerabilities that could impact your organization.
Does your organization require suppliers to provide evidence of their security practices through formal attestation, certification, or inspection processes?
This question assesses whether your organization has formal mechanisms to verify that suppliers maintain adequate security controls. By requiring evidence such as SOC 2 reports, ISO 27001 certifications, completed security questionnaires, or allowing security inspections, you can validate that third parties handling your data meet your security standards.
Does your organization include specific cybersecurity risk management provisions in contracts and agreements with suppliers and their supply chains?
This question assesses whether your organization formally documents the cybersecurity responsibilities and liabilities between all parties in the supply chain. Contracts should clearly define who is responsible for security incidents, data breaches, vulnerability management, and compliance requirements throughout the relationship lifecycle. Including these provisions helps establish accountability and ensures all parties understand their security obligations.
GV.SC-06
Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
Does your organization conduct risk-based due diligence assessments on prospective suppliers prior to establishing business relationships?
This question evaluates whether your organization has a systematic process for evaluating potential suppliers based on the risk they may introduce to your business. Due diligence should include assessments of suppliers' security practices, financial stability, compliance history, and operational capabilities, with the depth of assessment proportional to the criticality of the supplier relationship and access to sensitive data or systems.
Does your organization have a formal process to assess the cybersecurity capabilities and risk management practices of potential suppliers before engagement?
This question evaluates whether your organization conducts due diligence on suppliers' security posture before establishing business relationships. A robust supplier assessment process should examine technical security controls, compliance certifications, incident response capabilities, and the supplier's own third-party risk management practices.
Does your organization perform risk assessments of suppliers against business requirements and cybersecurity standards?
Supplier risk assessments help identify potential security vulnerabilities in your supply chain that could impact your organization's security posture. These assessments evaluate suppliers based on their access to your systems/data, the criticality of their services, and their own security controls implementation against your requirements and industry standards.
Does your organization have a formal process to verify the authenticity, integrity, and security of critical products before acquisition and deployment?
This question assesses whether you have established procedures to evaluate critical products before they enter your environment. This includes verifying the legitimacy of the vendor, checking for tampering during delivery, and evaluating security vulnerabilities or weaknesses in the products themselves. These checks help prevent supply chain attacks, counterfeit products, and the introduction of compromised software or hardware into your systems.
GV.SC-07
The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
Does your organization adjust third-party assessment formats and frequencies based on the vendor's reputation and the criticality of their products or services?
This question evaluates whether your organization tailors its third-party risk management approach rather than using a one-size-fits-all method. Higher-risk vendors providing critical services should undergo more rigorous and frequent assessments than lower-risk vendors. For example, a cloud provider hosting sensitive customer data might require quarterly comprehensive assessments, while an office supply vendor might only need an annual lightweight review.
Does your organization have a formal process to collect and evaluate evidence of third-party compliance with contractual cybersecurity requirements?
This question assesses whether your organization systematically verifies that third parties are meeting the cybersecurity requirements specified in contracts. This includes collecting and evaluating documentation such as self-attestations, warranties, certifications (like SOC 2, ISO 27001), audit reports, and security questionnaire responses from vendors and partners.
Does your organization regularly monitor critical suppliers' compliance with security obligations through inspections, audits, tests, or other evaluation methods?
This question assesses whether you have an active program to verify that your critical suppliers maintain their security commitments throughout your relationship. Effective supplier monitoring helps identify security gaps before they lead to incidents and ensures continuous compliance with your security requirements.
Does your organization have a formal process to monitor critical suppliers, services, and products for changes in their risk profiles and update their criticality assessments accordingly?
This question assesses whether your organization maintains ongoing visibility into supply chain risks rather than treating vendor risk as a one-time assessment. Changes in a supplier's security posture, ownership, geographic location, or financial stability can significantly impact the risk they pose to your organization.
Has your organization established a business continuity plan that specifically addresses supplier and supply chain interruptions?
A business continuity plan for supply chain disruptions helps organizations maintain critical operations during unexpected supplier issues such as vendor bankruptcy, natural disasters affecting suppliers, geopolitical conflicts, or transportation disruptions. This plan should identify critical suppliers, alternative sourcing options, inventory management strategies, and communication protocols for supply chain emergencies.
GV.SC-08
Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
Has your organization established formal incident response communication protocols with suppliers that define rules for reporting incidents, recovery activities, and status updates?
This question assesses whether your organization has clear procedures for communicating with suppliers during security incidents, ensuring timely information sharing and coordinated response efforts. Effective supplier communication protocols help minimize incident impact by establishing when and how suppliers should report incidents that may affect your organization, and how your organization communicates incidents that may impact suppliers.
Has your organization formally documented the incident response roles and responsibilities for both internal teams and external suppliers?
This question assesses whether your organization has clearly defined who is responsible for what actions during security incidents, both within your organization and among your suppliers or vendors. Clear role definition prevents confusion during incidents, ensures proper coordination, and establishes accountability for incident response activities across organizational boundaries.
Does your organization include critical suppliers in incident response exercises and simulations?
Including critical suppliers in incident response exercises ensures coordinated response capabilities during security incidents that may involve or impact your supply chain. This practice helps identify communication gaps, clarify roles and responsibilities, and test the effectiveness of response procedures across organizational boundaries.
Has your organization established and documented crisis communication protocols with your critical suppliers?
Crisis communication protocols ensure that during security incidents, system outages, or other emergencies, your organization can effectively coordinate responses with critical suppliers. These protocols should define communication channels, escalation procedures, contact information for key personnel, and the types of events that trigger communications.
Does your organization conduct formal lessons learned sessions with critical suppliers following significant projects, incidents, or on a regular cadence?
Collaborative lessons learned sessions with critical suppliers help identify areas for improvement in security practices, communication protocols, and incident response procedures. These sessions can uncover vulnerabilities in the supply chain, establish better coordination mechanisms, and strengthen relationships with key suppliers who may have access to sensitive systems or data.
GV.SC-09
Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
Does your organization maintain provenance records for all acquired technology products and services?
Technology provenance records document the origin, chain of custody, and authenticity of technology products and services your organization acquires. These records help verify that products come from legitimate sources, haven't been tampered with, and don't contain malicious components or vulnerabilities.Provenance records are particularly important for supply chain security, as they help identify potential risks from third-party vendors and protect against counterfeit or compromised products. They also support compliance with regulations that require verification of technology sources.
Does your organization provide regular risk reporting to leadership regarding the authenticity and integrity of acquired components?
This question assesses whether your organization has a formal process to verify and report on the authenticity of components (hardware, software, services) acquired from third parties, and communicates these findings to leadership. Supply chain attacks often target organizations through compromised components, making verification and leadership awareness critical security controls.
Does your organization have a documented process for ensuring that software patches, updates, and upgrades are acquired only from authenticated and trustworthy sources?
This question assesses whether your organization has formal procedures to verify the authenticity of software sources before implementing patches or updates. Without proper verification, organizations risk installing compromised software that could contain malware or backdoors, potentially leading to data breaches or system compromise.
Does your organization have policies requiring that only approved supplier personnel perform maintenance on supplier products?
This question assesses whether your organization has formal policies that restrict maintenance activities on supplier products to only those personnel who have been explicitly approved by the supplier. Such policies help prevent unauthorized modifications, reduce the risk of introducing vulnerabilities, and maintain warranty compliance.
Does your organization have documented policies and procedures for verifying critical hardware upgrades against unauthorized changes before implementation?
This control ensures that hardware upgrades are thoroughly inspected for potential tampering, unauthorized modifications, or supply chain compromises before being deployed in your environment. For example, firmware updates for network devices, server components, or security appliances should be verified for integrity and authenticity to prevent the introduction of backdoors or malicious code.
GV.SC-10
Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
Has your organization established formal processes for terminating critical third-party relationships under both normal and adverse circumstances?
Critical relationships with vendors, partners, and service providers require clear termination procedures to minimize security risks when these relationships end. Without proper termination processes, organizations risk data breaches, service disruptions, or compliance violations during transitions. This includes procedures for revoking access rights, retrieving assets, transferring data, and ensuring contractual obligations are fulfilled under both planned and emergency scenarios.
Has your organization established and implemented a formal plan for managing component end-of-life, maintenance support, and obsolescence?
This question assesses whether your organization has a structured approach to handling technology components as they reach end-of-life or become obsolete. Without proper planning, organizations risk using unsupported components that may contain unpatched security vulnerabilities, face unexpected costs for emergency replacements, or experience operational disruptions when critical components fail without available replacements.
Does your organization have a process to promptly deactivate supplier access to systems and resources when it is no longer required?
Maintaining active access for suppliers after their engagement has ended creates unnecessary security risks. This includes ensuring that temporary vendor accounts, VPN access, cloud resource permissions, and physical access credentials are revoked immediately upon project completion or contract termination.
Does your organization have a documented process for the timely return and secure disposal of assets containing organizational data?
This question assesses whether your organization has formal procedures to ensure that all company assets (laptops, mobile devices, storage media, etc.) containing sensitive data are either returned or properly destroyed when no longer needed or when employees leave. Without proper asset return and disposal processes, organizational data may remain accessible to unauthorized individuals, potentially leading to data breaches or compliance violations.
Does your organization have a documented process for terminating or transitioning supplier relationships that specifically addresses supply chain security risks and resilience?
This question assesses whether your organization has formal procedures to manage the security implications when ending or changing supplier relationships. Without proper termination/transition planning, organizations risk data breaches, service disruptions, or compliance violations during these critical periods.
Has your organization implemented a formal supplier termination process that addresses data security and system access risks?
When supplier relationships end, there are significant risks if access to systems and data isn't properly revoked, or if data transfer/destruction isn't managed securely. This question assesses whether your organization has formalized procedures to mitigate these risks during supplier offboarding.
Does your organization have documented procedures for managing data leakage risks when terminating supplier relationships?
When supplier relationships end, there's a risk that sensitive data may be retained by the supplier or improperly handled during the transition. This question assesses whether your organization has formal processes to ensure data is either returned, securely destroyed, or properly transferred when a supplier relationship ends. These procedures should include data identification, access revocation, contractual obligations enforcement, and verification of data removal.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
