NIST CSF 2.0 · All Functions · GV Govern · GV.SC Cybersecurity Supply Chain Risk Management

GV.SC-10

Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

Implementation examples

Ex1: Establish processes for terminating critical relationships under both normal and adverse circumstances
Ex2: Define and implement plans for component end-of-life maintenance support and obsolescence
Ex3: Verify that supplier access to organization resources is deactivated promptly when it is no longer needed
Ex4: Verify that assets containing the organization's data are returned or properly disposed of in a timely, controlled, and safe manner
Ex5: Develop and execute a plan for terminating or transitioning supplier relationships that takes supply chain security risk and resiliency into account
Ex6: Mitigate risks to data and systems created by supplier termination
Ex7: Manage data leakage risks associated with supplier termination

Mapped NIST 800-53 r5 controls (10)

PM-31 RA-03 RA-05 RA-07 SA-04 SA-09 SR-02 SR-03 SR-05 SR-06

All informative references (78)

CCMv4.0: DSP-02
CCMv4.0: DSP-16
CCMv4.0: HRS-05
CCMv4.0: IAM-07
CCMv4.0: IPY-04
CCMv4.0: SEF-04
CIS Controls v8.0: 15.7
CIS Controls v8.1: 15.7
CRI Profile v2.0: EX.TR
CRI Profile v2.0: EX.TR-01
CRI Profile v2.0: EX.TR-02
CRI Profile v2.0: EX.TR-01.01
CRI Profile v2.0: EX.TR-01.02
CRI Profile v2.0: EX.TR-01.03
CRI Profile v2.0: EX.TR-02.01
CSF v1.1: ID.SC-1
CoP: A4
ISO/IEC 27001:2022: Mandatory Clause: 6.1.1
ISO/IEC 27001:2022: Mandatory Clause: 6.1.2
ISO/IEC 27001:2022: Mandatory Clause: 6.1.3
ISO/IEC 27001:2022: Annex A Controls: 5.19
ISO/IEC 27001:2022: Annex A Controls: 5.20
ISO/IEC 27001:2022: Annex A Controls: 5.21
ISO/IEC 27001:2022: Annex A Controls: 5.22
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-009
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-015
NICE Framework: OG-WRL-016
OWASP Top 10 LLM Applications: LLM03-2025
PCI DSS: 12.8.2
PCI DSS: 12.8.5
PCI DSS: 12.8.3
PCI DSS: 8.2.5
PCI DSS: 9.3.1.1
PCI DSS: 12.3.4
PCI DSS: 6.4.3
PCI DSS: 12.10.1
PCI DSS: 12.5.2
PCI DSS: 1.2.4
PCI DSS: 1.2.3
PCI DSS: 3.2.1
PCI DSS: 9.4.7
PCI DSS: 9.4.6
SCF: RSK-09
SCF: TPM-01
SCF: TPM-05.2
SP 800-171 Rev 3: 03.11.01
SP 800-171 Rev 3: 03.11.02
SP 800-171 Rev 3: 03.11.04
SP 800-171 Rev 3: 03.14.08
SP 800-171 Rev 3: 03.16.03
SP 800-171 Rev 3: 03.17.01
SP 800-171 Rev 3: 03.17.02
SP 800-171 Rev 3: 03.17.03
SP 800-221A: GV.PO-1
SP 800-53 Rev 5.1.1: PM-31
SP 800-53 Rev 5.1.1: RA-03
SP 800-53 Rev 5.1.1: RA-05
SP 800-53 Rev 5.1.1: RA-07
SP 800-53 Rev 5.1.1: SA-04
SP 800-53 Rev 5.1.1: SA-09
SP 800-53 Rev 5.1.1: SR-02
SP 800-53 Rev 5.1.1: SR-03
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.1.1: SR-06
SP 800-53 Rev 5.2.0: PM-31
SP 800-53 Rev 5.2.0: RA-03
SP 800-53 Rev 5.2.0: RA-05
SP 800-53 Rev 5.2.0: RA-07
SP 800-53 Rev 5.2.0: SA-04
SP 800-53 Rev 5.2.0: SA-09
SP 800-53 Rev 5.2.0: SR-02
SP 800-53 Rev 5.2.0: SR-03
SP 800-53 Rev 5.2.0: SR-05
SP 800-53 Rev 5.2.0: SR-06
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-15 Requirements Definition
SP-800-37 Rev 2: RMF Monitor Step: TASK M-7 System Disposal

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).