Cyber Posture

NIST CSF 2.0 · All Functions · GV Govern

GV.SC — Cybersecurity Supply Chain Risk Management

Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders

GV.SC-01

A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders

4 implementation example(s) · 3 mapped NIST 800-53 control(s)

GV.SC-02

Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

8 implementation example(s) · 3 mapped NIST 800-53 control(s)

GV.SC-03

Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes

4 implementation example(s) · 28 mapped NIST 800-53 control(s)

GV.SC-04

Suppliers are known and prioritized by criticality

2 implementation example(s) · 3 mapped NIST 800-53 control(s)

GV.SC-05

Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

10 implementation example(s) · 6 mapped NIST 800-53 control(s)

GV.SC-06

Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships

4 implementation example(s) · 4 mapped NIST 800-53 control(s)

GV.SC-07

The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

5 implementation example(s) · 5 mapped NIST 800-53 control(s)

GV.SC-08

Relevant suppliers and other third parties are included in incident planning, response, and recovery activities

5 implementation example(s) · 7 mapped NIST 800-53 control(s)

GV.SC-09

Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

5 implementation example(s) · 13 mapped NIST 800-53 control(s)

GV.SC-10

Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

7 implementation example(s) · 10 mapped NIST 800-53 control(s)

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).