Does your organization have policies requiring that only approved supplier personnel perform maintenance on supplier products?
Explanation
Controlled maintenance is the concern here: whether your policies require that only supplier-approved personnel perform maintenance on supplier products. Such policies help prevent unauthorized modifications, reduce the risk of introducing vulnerabilities, and maintain warranty compliance.
Evidence could include documented maintenance policies that explicitly state this requirement, supplier agreements that specify authorized maintenance personnel, or maintenance logs showing verification of approved personnel credentials before maintenance activities are performed.
Implementation Example
Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products
ID: GV.SC-09.111
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

