NIST 800-53 REV 5 • INCIDENT RESPONSE
IR-4(10) — Supply Chain Coordination
Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.
Supplemental Guidance
Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents can occur anywhere through or to the supply chain and include compromises or breaches that involve primary or sub-tier providers, information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations consider including processes for protecting and sharing incident information in information exchange agreements and their obligations for reporting incidents to government oversight bodies (e.g., Federal Acquisition Security Council).
Practitioner Notes
When an incident involves your supply chain — a compromised vendor, a tainted software update, or a hardware tampering issue — you need to coordinate your response with every organization in that supply chain.
Example 1: Maintain a vendor contact list in your IR plan that includes security points of contact for all critical suppliers. When a supply chain incident occurs (like SolarWinds or MOVEit), you can quickly notify and coordinate with affected vendors.
Example 2: Include supply chain incident scenarios in your annual tabletop exercises. Walk through a scenario where a key software vendor is compromised and you need to determine exposure, isolate affected systems, and communicate with the vendor and your customers simultaneously.