NIST 800-53 REV 5 • INCIDENT RESPONSE
IR-6(3) — Supply Chain Coordination
Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident.
Practitioner Notes
When an incident involves a product or service from a vendor, you need to report the relevant details back to that vendor and coordinate across the supply chain so everyone can protect themselves.
Example 1: If you discover a zero-day vulnerability in a vendor's product during incident response, report it to the vendor through their security disclosure process (usually found on their website). Also report to CISA if the product is widely used in critical infrastructure.
Example 2: Include vendor notification procedures in your IR plan. Maintain a list of security contacts for your critical vendors. When an incident involves a vendor product, notify them within 24 hours and share relevant IOCs and log data to help them investigate on their end.