NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT
SR-6 — Supplier Assessments and Reviews
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}.
Supplemental Guidance
An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.
Practitioner Notes
Regularly assess and review your suppliers' security posture — a vendor that was secure last year may not be secure today.
Example 1: Require critical vendors to provide annual SOC 2 Type II audit reports. Review the reports for any deficiencies, especially in areas relevant to your data (access control, encryption, incident response). Follow up on any noted exceptions or qualifications.
Example 2: Conduct annual security questionnaire reviews for all vendors handling your sensitive data. Ask about their security practices, recent incidents, insurance coverage, and business continuity plans. Track their responses year over year to identify trends or deterioration.