GV.SC-05.089
Does your organization require suppliers to contractually disclose cybersecurity features, vulnerabilities, and functions of their products/services throughout the entire lifecycle or service term?
Explanation
This question assesses whether your organization has formal agreements requiring suppliers to provide ongoing transparency about security aspects of their offerings. Without such contractual obligations, suppliers may not disclose known vulnerabilities, security features may go unused, and your organization could remain unaware of critical security information that affects your risk posture. Evidence of fulfillment could include: sample contract language or clauses that explicitly require suppliers to disclose cybersecurity features and vulnerabilities; a supplier security policy that mandates these disclosures; or documentation of a formal supplier management program that includes these requirements as standard practice.
Implementation Example
Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service
ID: GV.SC-05.089
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
