Does your organization provide regular risk reporting to leadership regarding the authenticity and integrity of acquired components?
Explanation
Component integrity reporting is the subject: whether you verify the authenticity of acquired hardware, software, and services and report those findings up to leadership. Supply chain attacks often target organizations through compromised components, making verification and leadership awareness critical security controls.
Evidence could include quarterly or monthly reports to leadership that document component verification activities, findings from integrity checks, summaries of vendor security assessments, or dashboards showing supply chain risk metrics with authenticity verification results.
Implementation Example
Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic
ID: GV.SC-09.109
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

