NIST CSF 2.0 · All Functions · GV Govern · GV.SC Cybersecurity Supply Chain Risk Management

GV.SC-01

A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders

Implementation examples

Ex1: Establish a strategy that expresses the objectives of the cybersecurity supply chain risk management program
Ex2: Develop the cybersecurity supply chain risk management program, including a plan (with milestones), policies, and procedures that guide implementation and improvement of the program, and share the policies and procedures with the organizational stakeholders
Ex3: Develop and implement program processes based on the strategy, objectives, policies, and procedures that are agreed upon and performed by the organizational stakeholders
Ex4: Establish a cross-organizational mechanism that ensures alignment between functions that contribute to cybersecurity supply chain risk management, such as cybersecurity, IT, operations, legal, human resources, and engineering

Mapped NIST 800-53 r5 controls (3)

PM-30 SR-02 SR-03

Mapped CWE weaknesses (1)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1357→P

All informative references (57)

CCMv4.0: STA-01
CCMv4.0: STA-06
CCMv4.0: STA-08
CIS Controls v8.0: 15.2
CIS Controls v8.1: 15.2
CRI Profile v2.0: GV.SC-01
CRI Profile v2.0: GV.SC-01.01
CRI Profile v2.0: GV.SC-01.02
CSF v1.1: ID.SC-1
CoP: A4
IRP: IRP-Sec-1
IRP: IRP-Sec-1
IRP: IRP-Sec-1
ISO/IEC 27001:2022: Mandatory Clause: 8.1
ISO/IEC 27001:2022: Annex A Controls: 5.1
ISO/IEC 27001:2022: Annex A Controls: 5.19
ISO/IEC 27001:2022: Annex A Controls: 5.20
ISO/IEC 27001:2022: Annex A Controls: 5.21
ISO/IEC 27001:2022: Annex A Controls: 5.22
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-006
NICE Framework: OG-WRL-009
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-015
NICE Framework: OG-WRL-016
OWASP Top 10 LLM Applications: LLM03-2025
OWASP Top 10 LLM Applications: LLM04-2025
PCI DSS: 12.8.1
PCI DSS: 12.8.3
PCI DSS: 12.8.4
PCI DSS: 12.8.5
PCI DSS: 12.9.1
PCI DSS: 12.9.2
PCI DSS: 12.1.4
PCI DSS: 1.2.3
PCI DSS: 1.2.4
PCI DSS: 6.3.1
PCI DSS: 6.3.2
PCI DSS: 6.4.3
PCI DSS: 11.6.1
SCF: GOV-01
SCF: GOV-02
SCF: RSK-01
SCF: RSK-09
SP 800-171 Rev 3: 03.17.01
SP 800-171 Rev 3: 03.17.03
SP 800-221A: GV.PO-1
SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: SR-02
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.2.0: PM-30
SP 800-53 Rev 5.2.0: SR-02
SP 800-53 Rev 5.2.0: SR-03
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-1 Risk Management Roles
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-7 Continuous Monitoring Strategy—O
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-9 System Stakeholders

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).