Supply Chain Risk
Manage cybersecurity risks in the supply chain.
7 of 9 frameworks cover this control
Framework Mappings
How Supply Chain Risk maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | GV.SC-01 GV.SC-03 |
| ISO 27001 | Covered | A.5.19 A.5.21 |
| CIS v8 | Not Covered | — |
| SOC 2 | Covered | CC9.2 |
| PCI DSS | Covered | 12.8.1 12.8.2 12.8.4 |
| CMMC | Not Covered | — |
| 800-53 | Covered | SR-1 SR-2 SR-3 |
| HIPAA | Covered | §164.308(b)(1) §164.314(a)(1) |
| GDPR | Covered | Art.28(1) Art.28(2) |
About Supply Chain Risk
Supply Chain Risk is a cybersecurity control in the Govern domain. Manage cybersecurity risks in the supply chain. Supply chain risk management addresses the security vulnerabilities introduced by third-party hardware, software, and service providers that have access to organizational systems or data. Organizations should evaluate supplier security postures before onboarding, include security requirements in contracts, and monitor ongoing compliance through questionnaires, audits, or continuous monitoring tools. High-profile supply chain attacks such as SolarWinds and MOVEit have demonstrated that even well-secured organizations can be compromised through trusted vendor relationships.
This control is recognized by 7 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR. It is not covered by CIS v8, CMMC, representing a potential gap for organizations relying solely on those frameworks.