NIST CSF 2.0 · All Functions · GV Govern · GV.SC Cybersecurity Supply Chain Risk Management

GV.SC-04

Implementation examples

• Ex1: Develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to the organization's systems, and the importance of the products or services to the organization's mission
• Ex2: Keep a record of all suppliers, and prioritize suppliers based on the criticality criteria

Mapped NIST 800-53 r5 controls (3)

Mapped CWE weaknesses (1)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

All informative references (46)

• CCMv4.0: STA-07
• CIS Controls v8.0: 15.1
• CIS Controls v8.0: 15.3
• CIS Controls v8.1: 15.1
• CIS Controls v8.1: 15.3
• CRI Profile v2.0: GV.SC-04
• CRI Profile v2.0: GV.SC-04.01
• CSF v1.1: ID.SC-2
• CoP: A4
• ISO/IEC 27001:2022: Mandatory Clause: 6.1.1
• ISO/IEC 27001:2022: Mandatory Clause: 6.1.2
• ISO/IEC 27001:2022: Mandatory Clause: 6.1.3
• ISO/IEC 27001:2022: Annex A Controls: 5.19
• ISO/IEC 27001:2022: Annex A Controls: 5.22
• NICE Framework: IO-WRL-003
• NICE Framework: OG-WRL-002
• NICE Framework: OG-WRL-009
• NICE Framework: OG-WRL-015
• NICE Framework: OG-WRL-016
• OWASP Top 10 LLM Applications: LLM03-2025
• PCI DSS: 12.8.1
• PCI DSS: 12.8.3
• PCI DSS: 12.8.4
• PCI DSS: 12.8.5
• PCI DSS: 12.8.2
• PCI DSS: 12.5.2
• PCI DSS: 1.2.4
• PCI DSS: 6.3.2
• SCF: AST-01
• SCF: TPM-01
• SCF: TPM-02
• SDOS: SDOS-IA-02
• SDOS: SDOS-IN-03
• SP 800-171 Rev 3: 03.11.01
• SP 800-171 Rev 3: 03.16.03
• SP 800-221A: GV.CT-2
• SP 800-221A: GV.CT-3
• SP 800-53 Rev 5.1.1: RA-09
• SP 800-53 Rev 5.1.1: SA-09
• SP 800-53 Rev 5.1.1: SR-06
• SP 800-53 Rev 5.2.0: RA-09
• SP 800-53 Rev 5.2.0: SA-09
• SP 800-53 Rev 5.2.0: SR-06
• SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-3 Risk Assessment—Organization
• SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-10 Asset Identification
• SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-14 Risk Assessment—System

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).