GV.SC-05.090

Do you contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products?

Explanation

This question assesses whether your organization formally requires suppliers to document and keep updated inventories of all components within critical products. Having a complete bill of materials (BOM) enables you to quickly identify affected systems when vulnerabilities are discovered in specific components, assess supply chain risks, and manage product security throughout its lifecycle. Evidence of fulfillment could include: sample contract language that explicitly requires suppliers to maintain and provide component inventories, documented processes for collecting and reviewing supplier BOMs, and examples of actual component inventories (software/hardware BOMs) received from suppliers for critical products.

Implementation Example

Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products

ID: GV.SC-05.090

Context

Function
GV: GOVERN
Category
GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category
Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron