NIST CSF 2.0 · All Functions · GV Govern · GV.SC Cybersecurity Supply Chain Risk Management

GV.SC-02

Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

Implementation examples

Ex1: Identify one or more specific roles or positions that will be responsible and accountable for planning, resourcing, and executing cybersecurity supply chain risk management activities
Ex2: Document cybersecurity supply chain risk management roles and responsibilities in policy
Ex3: Create responsibility matrixes to document who will be responsible and accountable for cybersecurity supply chain risk management activities and how those teams and individuals will be consulted and informed
Ex4: Include cybersecurity supply chain risk management responsibilities and performance requirements in personnel descriptions to ensure clarity and improve accountability
Ex5: Document performance goals for personnel with cybersecurity risk management-specific responsibilities, and periodically measure them to demonstrate and improve performance
Ex6: Develop roles and responsibilities for suppliers, customers, and business partners to address shared responsibilities for applicable cybersecurity risks, and integrate them into organizational policies and applicable third-party agreements
Ex7: Internally communicate cybersecurity supply chain risk management roles and responsibilities for third parties
Ex8: Establish rules and protocols for information sharing and reporting processes between the organization and its suppliers

Mapped NIST 800-53 r5 controls (3)

SR-02 SR-03 SR-05

All informative references (47)

CCMv4.0: HRS-09
CCMv4.0: HRS-10
CCMv4.0: HRS-13
CCMv4.0: IAM-11
CCMv4.0: STA-01
CCMv4.0: STA-02
CCMv4.0: STA-03
CCMv4.0: STA-04
CCMv4.0: STA-05
CCMv4.0: STA-06
CCMv4.0: STA-12
CCMv4.0: UEM-14
CIS Controls v8.0: 15.4
CIS Controls v8.1: 15.4
CRI Profile v2.0: GV.SC-02
CRI Profile v2.0: GV.SC-02.01
CSF v1.1: ID.AM-6
CoP: A4
ISO/IEC 27001:2022: Mandatory Clause: 5.3
ISO/IEC 27001:2022: Annex A Controls: 5.2
ISO/IEC 27001:2022: Annex A Controls: 5.4
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-003
NICE Framework: OG-WRL-009
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-015
NICE Framework: OG-WRL-016
OWASP Top 10 LLM Applications: LLM03-2025
PCI DSS: 12.8.3
PCI DSS: 12.8.4
PCI DSS: 12.1.4
PCI DSS: 12.10.1
SCF: TPM-05
SCF: TPM-05.2
SCF: TPM-05.4
SP 800-171 Rev 3: 03.17.02
SP 800-171 Rev 3: 03.17.03
SP 800-221A: GV.RR-1
SP 800-221A: GV.RR-2
SP 800-53 Rev 5.1.1: SR-02
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.2.0: SR-02
SP 800-53 Rev 5.2.0: SR-03
SP 800-53 Rev 5.2.0: SR-05
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-1 Risk Management Roles
SSDF: PO.2.1

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).