Does your organization have a process to promptly deactivate supplier access to systems and resources when it is no longer required?
Explanation
Maintaining active access for suppliers after their engagement has ended creates unnecessary security risks. This includes ensuring that temporary vendor accounts, VPN access, cloud resource permissions, and physical access credentials are revoked immediately upon project completion or contract termination.
Evidence could include a documented offboarding procedure specific to suppliers, access review logs showing timely deactivation of supplier accounts, or automated notifications/tickets that trigger when supplier engagements end. A comprehensive supplier access management policy with clear timelines for deactivation would also serve as supporting evidence.
Implementation Example
Verify that supplier access to organization resources is deactivated promptly when it is no longer needed
ID: GV.SC-10.115
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

