Does your organization conduct formal risk assessments of suppliers that evaluate both business requirements and cybersecurity controls, including supply chain security?
Explanation
Supplier risk assessments help identify vulnerabilities that could be introduced through third parties who have access to your systems or data.
These assessments should evaluate suppliers against your organization's business requirements (e.g., service level agreements, financial stability) and cybersecurity requirements (e.g., data protection practices, security certifications, incident response capabilities).
Supply chain security specifically examines how components, software, or services provided by suppliers could introduce security risks into your environment.
Evidence of compliance could include documented supplier risk assessment procedures, completed assessment reports for key suppliers, a supplier risk register that tracks findings and remediation plans, or third-party security questionnaires that have been completed and evaluated.
Implementation Example
Conduct supplier risk assessments against business and applicable cybersecurity requirements, including the supply chain
ID: ID.RA-10.176
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Critical suppliers are assessed prior to acquisition
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

