NIST CSF 2.0 · All Functions · GV Govern · GV.SC Cybersecurity Supply Chain Risk Management

GV.SC-06

Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships

Implementation examples

Ex1: Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship
Ex2: Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers
Ex3: Conduct supplier risk assessments against business and applicable cybersecurity requirements
Ex4: Assess the authenticity, integrity, and security of critical products prior to acquisition and use

Mapped NIST 800-53 r5 controls (4)

SA-04 SA-09 SR-05 SR-06

Mapped CWE weaknesses (1)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1357→P

All informative references (64)

CCMv4.0: STA-01
CCMv4.0: STA-08
CCMv4.0: STA-11
CIS Controls v8.0: 15.5
CIS Controls v8.1: 15.5
CRI Profile v2.0: EX.DD
CRI Profile v2.0: EX.DD-01
CRI Profile v2.0: EX.DD-02
CRI Profile v2.0: EX.DD-01.01
CRI Profile v2.0: EX.DD-01.02
CRI Profile v2.0: EX.DD-01.03
CRI Profile v2.0: EX.DD-02.01
CRI Profile v2.0: EX.DD-02.02
CRI Profile v2.0: EX.DD-02.03
CRI Profile v2.0: EX.DD-02.04
CSF v1.1: ID.SC-1
CoP: A4
ISO/IEC 27001:2022: Mandatory Clause: 4.2 (a)
ISO/IEC 27001:2022: Annex A Controls: 5.19
ISO/IEC 27001:2022: Annex A Controls: 5.20
ISO/IEC 27001:2022: Annex A Controls: 5.31
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-006
NICE Framework: OG-WRL-009
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-015
NICE Framework: OG-WRL-016
OWASP Top 10 LLM Applications: LLM03-2025
OWASP Top 10 LLM Applications: LLM04-2025
PCI DSS: 12.8.3
PCI DSS: 12.8.1
PCI DSS: 12.8.5
PCI DSS: 12.8.2
PCI DSS: 12.5.2
PCI DSS: 1.2.4
PCI DSS: 1.2.3
SCF: TPM-01
SCF: TPM-02
SCF: TPM-03
SCF: TPM-03.2
SCF: TPM-03.3
SCF: TPM-04
SCF: TPM-04.1
SCF: TPM-04.3
SCF: TPM-04.4
SCF: TPM-05
SCF: TPM-05.2
SCF: TPM-05.4
SCF: TPM-05.7
SP 800-171 Rev 3: 03.11.01
SP 800-171 Rev 3: 03.16.03
SP 800-171 Rev 3: 03.17.02
SP 800-221A: GV.PO-1
SP 800-53 Rev 5.1.1: SA-04
SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.1.1: SR-06
SP 800-53 Rev 5.2.0: SA-04
SP 800-53 Rev 5.2.0: SA-09
SP 800-53 Rev 5.2.0: SR-05
SP 800-53 Rev 5.2.0: SR-06
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-3 Risk Assessment—Organization
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-14 Risk Assessment—System

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).