NIST CSF 2.0 · All Functions · GV Govern · GV.SC Cybersecurity Supply Chain Risk Management

GV.SC-03

Implementation examples

• Ex1: Identify areas of alignment and overlap with cybersecurity and enterprise risk management
• Ex2: Establish integrated control sets for cybersecurity risk management and cybersecurity supply chain risk management
• Ex3: Integrate cybersecurity supply chain risk management into improvement processes
• Ex4: Escalate material cybersecurity risks in supply chains to senior management, and address them at the enterprise risk management level

Mapped NIST 800-53 r5 controls (28)

All informative references (97)

• CCMv4.0: STA-01
• CCMv4.0: STA-06
• CCMv4.0: STA-08
• CCMv4.0: STA-11
• CCMv4.0: STA-12
• CCMv4.0: UEM-14
• CRI Profile v2.0: GV.SC-03
• CRI Profile v2.0: GV.SC-03.01
• CSF v1.1: ID.SC-2
• CoP: A4
• ISO/IEC 27001:2022: Mandatory Clause: 8.1
• ISO/IEC 27001:2022: Annex A Controls: 5.1
• ISO/IEC 27001:2022: Annex A Controls: 5.19
• ISO/IEC 27001:2022: Annex A Controls: 5.20
• ISO/IEC 27001:2022: Annex A Controls: 5.21
• NICE Framework: OG-WRL-002
• NICE Framework: OG-WRL-009
• NICE Framework: OG-WRL-012
• NICE Framework: OG-WRL-015
• NICE Framework: OG-WRL-016
• OWASP Top 10 LLM Applications: LLM03-2025
• PCI DSS: 6.4.3
• PCI DSS: 6.2.3
• PCI DSS: 12.8.3
• PCI DSS: 12.3.4
• PCI DSS: 11.6.1
• PCI DSS: 6.3.2
• PCI DSS: 6.3.1
• SCF: GOV-01
• SCF: GOV-02
• SCF: RSK-01
• SCF: RSK-09
• SP 800-171 Rev 3: 03.11.01
• SP 800-171 Rev 3: 03.11.04
• SP 800-171 Rev 3: 03.15.01
• SP 800-171 Rev 3: 03.17.01
• SP 800-171 Rev 3: 03.17.03
• SP 800-221A: GV.CT-2
• SP 800-221A: GV.CT-3
• SP 800-53 Rev 5.1.1: AC-01
• SP 800-53 Rev 5.1.1: AT-01
• SP 800-53 Rev 5.1.1: AU-01
• SP 800-53 Rev 5.1.1: CA-01
• SP 800-53 Rev 5.1.1: CM-01
• SP 800-53 Rev 5.1.1: CP-01
• SP 800-53 Rev 5.1.1: IA-01
• SP 800-53 Rev 5.1.1: IR-01
• SP 800-53 Rev 5.1.1: MA-01
• SP 800-53 Rev 5.1.1: MP-01
• SP 800-53 Rev 5.1.1: PE-01
• SP 800-53 Rev 5.1.1: PL-01
• SP 800-53 Rev 5.1.1: PM-01
• SP 800-53 Rev 5.1.1: PS-01
• SP 800-53 Rev 5.1.1: PT-01
• SP 800-53 Rev 5.1.1: RA-01
• SP 800-53 Rev 5.1.1: SA-01
• SP 800-53 Rev 5.1.1: SC-01
• SP 800-53 Rev 5.1.1: SI-01
• SP 800-53 Rev 5.1.1: SR-01
• SP 800-53 Rev 5.1.1: PM-09
• SP 800-53 Rev 5.1.1: PM-18
• SP 800-53 Rev 5.1.1: PM-30
• SP 800-53 Rev 5.1.1: PM-31
• SP 800-53 Rev 5.1.1: SR-02
• SP 800-53 Rev 5.1.1: SR-03
• SP 800-53 Rev 5.1.1: RA-03
• SP 800-53 Rev 5.1.1: RA-07
• SP 800-53 Rev 5.2.0: AC-01
• SP 800-53 Rev 5.2.0: AT-01
• SP 800-53 Rev 5.2.0: AU-01
• SP 800-53 Rev 5.2.0: CA-01
• SP 800-53 Rev 5.2.0: CM-01
• SP 800-53 Rev 5.2.0: CP-01
• SP 800-53 Rev 5.2.0: IA-01
• SP 800-53 Rev 5.2.0: IR-01
• SP 800-53 Rev 5.2.0: MA-01
• SP 800-53 Rev 5.2.0: MP-01
• SP 800-53 Rev 5.2.0: PE-01
• SP 800-53 Rev 5.2.0: PL-01
• SP 800-53 Rev 5.2.0: PM-01
• SP 800-53 Rev 5.2.0: PS-01
• SP 800-53 Rev 5.2.0: PT-01
• SP 800-53 Rev 5.2.0: RA-01
• SP 800-53 Rev 5.2.0: SA-01
• SP 800-53 Rev 5.2.0: SC-01
• SP 800-53 Rev 5.2.0: SI-01
• SP 800-53 Rev 5.2.0: SR-01
• SP 800-53 Rev 5.2.0: PM-09
• SP 800-53 Rev 5.2.0: PM-18
• SP 800-53 Rev 5.2.0: PM-30
• SP 800-53 Rev 5.2.0: PM-31
• SP 800-53 Rev 5.2.0: SR-02
• SP 800-53 Rev 5.2.0: SR-03
• SP 800-53 Rev 5.2.0: RA-03
• SP 800-53 Rev 5.2.0: RA-07
• SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
• SSDF: PW.4.1

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).