SA-12(12) — Inter-organizational Agreements

Use inter-organizational agreements to establish supply chain security requirements with your partners and suppliers. Agreements formalize expectations and provide accountability.

Example 1: Execute Interconnection Security Agreements (ISAs) or Memoranda of Understanding (MOUs) with organizations that connect to your systems. These agreements should specify security requirements, incident notification procedures, and responsibilities for each party.

Example 2: Include supply chain security clauses in all vendor contracts: requirements for reporting security incidents, obligation to notify you of subcontractor changes, and the right to audit their security practices. Review and update these clauses annually as threats evolve.