NIST CSF 2.0 · All Functions · GV Govern · GV.SC Cybersecurity Supply Chain Risk Management

GV.SC-05

Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

Implementation examples

Ex1: Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised
Ex2: Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language
Ex3: Define the rules and protocols for information sharing between the organization and its suppliers and sub-tier suppliers in agreements
Ex4: Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised
Ex5: Define security requirements in service-level agreements (SLAs) for monitoring suppliers for acceptable security performance throughout the supplier relationship lifecycle
Ex6: Contractually require suppliers to disclose cybersecurity features, functions, and vulnerabilities of their products and services for the life of the product or the term of service
Ex7: Contractually require suppliers to provide and maintain a current component inventory (e.g., software or hardware bill of materials) for critical products
Ex8: Contractually require suppliers to vet their employees and guard against insider threats
Ex9: Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections
Ex10: Specify in contracts and other agreements the rights and responsibilities of the organization, its suppliers, and their supply chains, with respect to potential cybersecurity risks

Mapped NIST 800-53 r5 controls (6)

SA-04 SA-09 SR-03 SR-05 SR-06 SR-10

Mapped CWE weaknesses (3)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1277→P CWE-1357←P →P CWE-1395→P

All informative references (70)

CCMv4.0: CCC-05
CCMv4.0: CEK-08
CCMv4.0: DSP-13
CCMv4.0: DSP-14
CCMv4.0: IPY-04
CCMv4.0: STA-02
CCMv4.0: STA-03
CCMv4.0: STA-04
CCMv4.0: STA-08
CCMv4.0: STA-09
CCMv4.0: STA-12
CCMv4.0: STA-13
CCMv4.0: UEM-14
CIS Controls v8.0: 15.4
CIS Controls v8.1: 15.4
CRI Profile v2.0: EX.CN
CRI Profile v2.0: EX.CN-01
CRI Profile v2.0: EX.CN-02
CRI Profile v2.0: EX.CN-01.01
CRI Profile v2.0: EX.CN-01.02
CRI Profile v2.0: EX.CN-01.03
CRI Profile v2.0: EX.CN-02.01
CRI Profile v2.0: EX.CN-02.02
CRI Profile v2.0: EX.CN-02.03
CRI Profile v2.0: EX.CN-02.04
CSF v1.1: ID.SC-3
CoP: A4
ISO/IEC 27001:2022: Mandatory Clause: 4.2 (a)
ISO/IEC 27001:2022: Annex A Controls: 5.19
ISO/IEC 27001:2022: Annex A Controls: 5.20
ISO/IEC 27001:2022: Annex A Controls: 5.31
NICE Framework: IO-WRL-003
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-009
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-015
NICE Framework: OG-WRL-016
OWASP Top 10 LLM Applications: LLM03-2025
OWASP Top 10 LLM Applications: LLM04-2025
PCI DSS: 12.8.2
PCI DSS: 12.9.1
PCI DSS: 12.9.2
PCI DSS: 12.8.5
PCI DSS: 12.8.3
PCI DSS: 12.8.1
SCF: CPL-01
SCF: RSK-01
SCF: RSK-09
SCF: TPM-05
SCF: TPM-05.2
SDOS: SDOS-IA-02
SDOS: SDOS-IN-03
SP 800-171 Rev 3: 03.11.01
SP 800-171 Rev 3: 03.16.03
SP 800-171 Rev 3: 03.17.02
SP 800-171 Rev 3: 03.17.03
SP 800-53 Rev 5.1.1: SA-04
SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.1.1: SR-06
SP 800-53 Rev 5.1.1: SR-10
SP 800-53 Rev 5.2.0: SA-04
SP 800-53 Rev 5.2.0: SA-09
SP 800-53 Rev 5.2.0: SR-03
SP 800-53 Rev 5.2.0: SR-05
SP 800-53 Rev 5.2.0: SR-06
SP 800-53 Rev 5.2.0: SR-10
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
SSDF: PO.1.3

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).