Do you contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products?
Explanation
Component transparency from suppliers is the subject here, covering whether contracts require a current bill of materials for the software or hardware in critical products. Having a complete bill of materials (BOM) enables you to quickly identify affected systems when vulnerabilities are discovered in specific components, assess supply chain risks, and manage product security throughout its lifecycle.
Evidence of fulfillment could include: sample contract language that explicitly requires suppliers to maintain and provide component inventories, documented processes for collecting and reviewing supplier BOMs, and examples of actual component inventories (software/hardware BOMs) received from suppliers for critical products.
Implementation Example
Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products
ID: GV.SC-05.090
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

