NIST CSF 2.0 · All Functions · GV Govern · GV.SC Cybersecurity Supply Chain Risk Management

GV.SC-08

Relevant suppliers and other third parties are included in incident planning, response, and recovery activities

Implementation examples

Ex1: Define and use rules and protocols for reporting incident response and recovery activities and the status between the organization and its suppliers
Ex2: Identify and document the roles and responsibilities of the organization and its suppliers for incident response
Ex3: Include critical suppliers in incident response exercises and simulations
Ex4: Define and coordinate crisis communication methods and protocols between the organization and its critical suppliers
Ex5: Conduct collaborative lessons learned sessions with critical suppliers

Mapped NIST 800-53 r5 controls (7)

CP-01 IR-01 SA-04 SA-09 SR-02 SR-03 SR-08

All informative references (70)

CCMv4.0: BCR-06
CCMv4.0: BCR-07
CCMv4.0: DSP-18
CCMv4.0: SEF-03
CCMv4.0: SEF-04
CCMv4.0: SEF-07
CCMv4.0: UEM-14
CIS Controls v8.0: 15.4
CIS Controls v8.1: 15.4
CRI Profile v2.0: GV.SC-08
CRI Profile v2.0: GV.SC-08.01
CSF v1.1: ID.SC-5
CoP: A4
ISO/IEC 27001:2022: Mandatory Clause: None
ISO/IEC 27001:2022: Annex A Controls: 5.26
NICE Framework: IO-WRL-005
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-009
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-015
NICE Framework: OG-WRL-016
NICE Framework: PD-WRL-003
OWASP Top 10 LLM Applications: LLM03-2025
PCI DSS: 12.10.5
PCI DSS: 12.10.1
PCI DSS: 12.8.5
PCI DSS: 12.8.1
PCI DSS: 1.2.4
PCI DSS: 1.2.3
PCI DSS: 12.10.2
PCI DSS: 12.10.6
PCI DSS: 12.8.2
PCI DSS: 12.9.1
SCF: BCD-01
SCF: BCD-01.2
SCF: IRO-01
SCF: IRO-02
SCF: IRO-02.5
SCF: TPM-01
SCF: TPM-02
SCF: TPM-10
SCF: TPM-11
SDOS: SDOS-AU-02
SDOS: SDOS-IA-02
SDOS: SDOS-IN-03
SP 800-171 Rev 3: 03.06.01
SP 800-171 Rev 3: 03.06.02
SP 800-171 Rev 3: 03.06.05
SP 800-171 Rev 3: 03.15.01
SP 800-171 Rev 3: 03.16.03
SP 800-171 Rev 3: 03.17.01
SP 800-171 Rev 3: 03.17.03
SP 800-221A: GV.CT-3
SP 800-53 Rev 5.1.1: SA-04
SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SR-02
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: SR-08
SP 800-53 Rev 5.1.1: CP-01
SP 800-53 Rev 5.1.1: IR-01
SP 800-53 Rev 5.2.0: SA-04
SP 800-53 Rev 5.2.0: SA-09
SP 800-53 Rev 5.2.0: SR-02
SP 800-53 Rev 5.2.0: SR-03
SP 800-53 Rev 5.2.0: SR-08
SP 800-53 Rev 5.2.0: CP-01
SP 800-53 Rev 5.2.0: IR-01
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-9 System Stakeholders
SP-800-37 Rev 2: RMF Monitor Step: TASK M-1 System and Environment Changes
SP-800-37 Rev 2: RMF Monitor Step: TASK M-3 Ongoing Risk Response

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).