NIST CSF 2.0 · All Functions · GV Govern · GV.SC Cybersecurity Supply Chain Risk Management

GV.SC-07

The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

Implementation examples

Ex1: Adjust assessment formats and frequencies based on the third party's reputation and the criticality of the products or services they provide
Ex2: Evaluate third parties' evidence of compliance with contractual cybersecurity requirements, such as self-attestations, warranties, certifications, and other artifacts
Ex3: Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, audits, tests, or other forms of evaluation
Ex4: Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly
Ex5: Plan for unexpected supplier and supply chain-related interruptions to ensure business continuity

Mapped NIST 800-53 r5 controls (5)

RA-09 SA-04 SA-09 SR-03 SR-06

Mapped CWE weaknesses (1)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1357←P →M

All informative references (94)

CCMv4.0: STA-01
CCMv4.0: STA-08
CCMv4.0: STA-10
CCMv4.0: STA-11
CCMv4.0: STA-12
CCMv4.0: STA-13
CCMv4.0: STA-14
CCMv4.0: UEM-14
CIS Controls v8.0: 15.6
CIS Controls v8.1: 15.6
CRI Profile v2.0: EX.MM
CRI Profile v2.0: EX.MM-01
CRI Profile v2.0: EX.MM-02
CRI Profile v2.0: EX.MM-01.01
CRI Profile v2.0: EX.MM-01.02
CRI Profile v2.0: EX.MM-01.03
CRI Profile v2.0: EX.MM-01.04
CRI Profile v2.0: EX.MM-01.05
CRI Profile v2.0: EX.MM-01.06
CRI Profile v2.0: EX.MM-02.01
CRI Profile v2.0: EX.MM-02.02
CRI Profile v2.0: EX.MM-02.03
CSF v1.1: ID.SC-2
CSF v1.1: ID.SC-4
CoP: A4
ISO/IEC 27001:2022: Mandatory Clause: 6.1.1
ISO/IEC 27001:2022: Mandatory Clause: 6.1.2
ISO/IEC 27001:2022: Mandatory Clause: 6.1.3
ISO/IEC 27001:2022: Annex A Controls: 5.19
ISO/IEC 27001:2022: Annex A Controls: 5.20
ISO/IEC 27001:2022: Annex A Controls: 5.31
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-009
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-015
NICE Framework: OG-WRL-016
OWASP Top 10 LLM Applications: LLM03-2025
OWASP Top 10 LLM Applications: LLM04-2025
PCI DSS: 12.8.4
PCI DSS: 12.9.2
PCI DSS: 12.9.1
PCI DSS: 12.8.5
PCI DSS: 12.8.2
PCI DSS: 12.8.3
PCI DSS: 12.8.1
PCI DSS: 12.5.2
PCI DSS: 1.2.4
PCI DSS: 6.3.2
PCI DSS: 6.3.1
PCI DSS: 6.4.3
PCI DSS: 11.6.1
SCF: TPM-01
SCF: TPM-02
SCF: TPM-03
SCF: TPM-03.2
SCF: TPM-03.3
SCF: TPM-04
SCF: TPM-04.1
SCF: TPM-08
SDOS: SDOS-AU-02
SDOS: SDOS-IA-02
SDOS: SDOS-IN-03
SP 800-171 Rev 3: 03.11.01
SP 800-171 Rev 3: 03.16.03
SP 800-171 Rev 3: 03.17.03
SP 800-221A: GV.CT-2
SP 800-221A: GV.CT-3
SP 800-221A: MA.RM-2
SP 800-221A: MA.RM-3
SP 800-53 Rev 5.1.1: RA-09
SP 800-53 Rev 5.1.1: SA-04
SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: SR-06
SP 800-53 Rev 5.2.0: RA-09
SP 800-53 Rev 5.2.0: SA-04
SP 800-53 Rev 5.2.0: SA-09
SP 800-53 Rev 5.2.0: SR-03
SP 800-53 Rev 5.2.0: SR-06
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-3 Risk Assessment—Organization
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-7 Continuous Monitoring Strategy—O
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-14 Risk Assessment—System
SP-800-37 Rev 2: RMF Select Step: TASK S-5 Continuous Monitoring Strategy— System
SP-800-37 Rev 2: RMF Assess Step: TASK A-3 Control Assessments
SP-800-37 Rev 2: RMF Assess Step: TASK A-5 Remediation Actions
SP-800-37 Rev 2: RMF Assess Step: TASK A-6 Plan of Action and Milestones
SP-800-37 Rev 2: RMF Authorize Step: TASK R-2 Risk Analysis and Determination
SP-800-37 Rev 2: RMF Authorize Step: TASK R-3 Risk Response
SP-800-37 Rev 2: RMF Monitor Step: TASK M-1 System and Environment Changes
SP-800-37 Rev 2: RMF Monitor Step: TASK M-2 Ongoing Assessments
SP-800-37 Rev 2: RMF Monitor Step: TASK M-3 Ongoing Risk Response
SSDF: PW.4.1
SSDF: PW.4.4

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).