NIST CSF 2.0 · All Functions · GV Govern · GV.SC Cybersecurity Supply Chain Risk Management

GV.SC-09

Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

Implementation examples

Ex1: Policies and procedures require provenance records for all acquired technology products and services
Ex2: Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic
Ex3: Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades only from authenticated and trustworthy software providers
Ex4: Review policies to ensure that they require approved supplier personnel to perform maintenance on supplier products
Ex5: Policies and procedure require checking upgrades to critical hardware for unauthorized changes

Mapped NIST 800-53 r5 controls (13)

PM-09 PM-19 PM-28 PM-30 PM-31 RA-03 RA-07 SA-04 SA-09 SR-02 SR-03 SR-05 SR-06

Mapped CWE weaknesses (1)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1357→M

All informative references (81)

CCMv4.0: STA-11
CCMv4.0: STA-12
CIS Controls v8.0: 15.6
CIS Controls v8.1: 15.6
CRI Profile v2.0: GV.SC-09
CRI Profile v2.0: GV.SC-09.01
CSF v1.1: ID.SC-1
CoP: A4
ISO/IEC 27001:2022: Mandatory Clause: 6.1.1
ISO/IEC 27001:2022: Mandatory Clause: 6.1.2
ISO/IEC 27001:2022: Annex A Controls: 5.19
ISO/IEC 27001:2022: Annex A Controls: 5.20
ISO/IEC 27001:2022: Annex A Controls: 5.21
ISO/IEC 27001:2022: Annex A Controls: 5.22
NICE Framework: DD-WRL-001
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-009
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-015
NICE Framework: OG-WRL-016
OWASP Top 10 LLM Applications: LLM03-2025
PCI DSS: 6.4.3
PCI DSS: 9.5.1.1
PCI DSS: 9.5.1.2
PCI DSS: 9.5.1.2.1
PCI DSS: 6.3.1
PCI DSS: 6.3.3
PCI DSS: 11.6.1
PCI DSS: 6.2.3
PCI DSS: 12.3.4
PCI DSS: 12.8.4
PCI DSS: 6.3.2
PCI DSS: 12.8.1
PCI DSS: 12.8.5
PCI DSS: 12.3.4
SCF: GOV-01
SCF: GOV-05
SCF: PRM-07
SCF: RSK-01
SCF: RSK-09
SCF: RSK-09.1
SCF: SEA-07.1
SCF: TDA-01.1
SDOS: SDOS-AU-02
SDOS: SDOS-IA-02
SDOS: SDOS-IN-03
SP 800-171 Rev 3: 03.11.01
SP 800-171 Rev 3: 03.11.04
SP 800-171 Rev 3: 03.16.03
SP 800-171 Rev 3: 03.17.01
SP 800-171 Rev 3: 03.17.02
SP 800-171 Rev 3: 03.17.03
SP 800-221A: GV.PO-1
SP 800-53 Rev 5.1.1: PM-09
SP 800-53 Rev 5.1.1: PM-19
SP 800-53 Rev 5.1.1: PM-28
SP 800-53 Rev 5.1.1: PM-30
SP 800-53 Rev 5.1.1: PM-31
SP 800-53 Rev 5.1.1: RA-03
SP 800-53 Rev 5.1.1: RA-07
SP 800-53 Rev 5.1.1: SA-04
SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SR-02
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.1.1: SR-06
SP 800-53 Rev 5.2.0: PM-09
SP 800-53 Rev 5.2.0: PM-19
SP 800-53 Rev 5.2.0: PM-28
SP 800-53 Rev 5.2.0: PM-30
SP 800-53 Rev 5.2.0: PM-31
SP 800-53 Rev 5.2.0: RA-03
SP 800-53 Rev 5.2.0: RA-07
SP 800-53 Rev 5.2.0: SA-04
SP 800-53 Rev 5.2.0: SA-09
SP 800-53 Rev 5.2.0: SR-02
SP 800-53 Rev 5.2.0: SR-03
SP 800-53 Rev 5.2.0: SR-05
SP 800-53 Rev 5.2.0: SR-06
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-7 Continuous Monitoring Strategy—O

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).