CAF Outcome A4.a: Supply Chain

From the UK NCSC's Cyber Assessment Framework (version 3.1):

The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

A4.a: Supply Chain to CSF mappings generated from UK Cabinet Office table.

Search:

Control ID	Description
ID.SC-4	Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
RS.MI-1	Incidents are contained
RS.CO-4	Coordination with stakeholders occurs consistent with response plans
ID.RA-4	Potential business impacts and likelihoods are identified
PR.AC-3	Remote access is managed
RS.MI-2	Incidents are mitigated
ID.SC-2	Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
DE.AE-1	A baseline of network operations and expected data flows for users and systems is established and managed
PR.AT-2	Privileged users understand their roles and responsibilities
DE.DP-4	Event detection information is communicated
RS.CO-3	Information is shared consistent with response plans
ID.SC-5	Response and recovery planning and testing are conducted with suppliers and third-party providers
DE.CM-6	External service provider activity is monitored to detect potential cybersecurity events
DE.DP-1	Roles and responsibilities for detection are well defined to ensure accountability
ID.GV-2	Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
ID.AM-6	Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
RS.CO-1	Personnel know their roles and order of operations when a response is needed
ID.BE-1	The organization’s role in the supply chain is identified and communicated
ID.SC-1	Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
ID.AM-3	Organizational communication and data flows are mapped
ID.SC-3	Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
PR.AT-3	Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
PR.MA-2	Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
DE.CM-7	Monitoring for unauthorized personnel, connections, devices, and software is performed

Showing 1 to 24 of 24 entries

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

User Account Control

Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

Addressing security within supplier agreements (15.1.2)
ISO 27001:2013
Security of network services (13.1.2)
ISO 27001:2013
Agreements on information transfer (13.2.2)
ISO 27001:2013
Information and communication technology supply chain (15.1.3)
ISO 27001:2013
Monitoring and review of supplier services (15.2.1)
ISO 27001:2013
Managing changes to supplier services (15.2.2)
ISO 27001:2013
Outsourced development (14.2.7)
ISO 27001:2013
Information security policy for supplier relationships (15.1.1)
ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Search:

Node
SA-12: Supply Chain Protection
SA-9: External System Services
AU-12: Audit Record Generation
AU-2: Event Logging
PS-7: External Personnel Security
AU-16: Cross-organizational Audit Logging
AU-6: Audit Record Review, Analysis, and Reporting
IR-4: Incident Handling
IR-8: Incident Response Plan
CP-2: Contingency Plan
PM-11: Mission and Business Process Definition
RA-3: Risk Assessment
PM-9: Risk Management Strategy
RA-2: Security Categorization
SA-14: Criticality Analysis
SC-15: Collaborative Computing Devices and Applications
AC-1: Policy and Procedures
AC-20: Use of External Systems
AC-17: Remote Access
AC-19: Access Control for Mobile Devices
SA-15: Development Process, Standards, and Tools
SI-4: System Monitoring
CA-3: Information Exchange
CM-2: Baseline Configuration
AC-4: Information Flow Enforcement
AT-3: Role-based Training
PM-13: Security and Privacy Workforce
RA-5: Vulnerability Monitoring and Scanning
CA-2: Control Assessments
CA-7: Continuous Monitoring
PE-6: Monitoring Physical Access
IR-3: Incident Response Testing
IR-6: Incident Reporting
CP-4: Contingency Plan Testing
IR-9: Information Spillage Response
SA-4: Acquisition Process
PM-14: Testing, Training, and Monitoring
PM-2: Information Security Program Leadership Role
PM-1: Information Security Program Plan
CP-3: Contingency Training
PL-8: Security and Privacy Architectures
CA-9: Internal System Connections
SA-11: Developer Testing and Evaluation
SA-16: Developer-provided Training
MA-4: Nonlocal Maintenance
CM-3: Configuration Change Control
PE-3: Physical Access Control
PE-20: Asset Monitoring and Tracking
CM-8: System Component Inventory

Showing 1 to 49 of 49 entries

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

Search:

ATT&CK ID	Title	Associated Tactics
T1574.005	Executable Installer File Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
T1550.002	Pass the Hash	Defense Evasion, Lateral Movement
T1574.010	Services File Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
T1574	Hijack Execution Flow	Defense Evasion, Persistence, Privilege Escalation
T1546.011	Application Shimming	Persistence, Privilege Escalation
T1548.002	Bypass User Account Control	Defense Evasion, Privilege Escalation

Showing 1 to 7 of 7 entries

CAF Outcome A4.a: Supply Chain

Cyber Threat Graph Context

NCSC CAF Mapped to NIST CSF

ATT&CK Mitigations

User Account Control

Related ISO 27001 Controls

Addressing security within supplier agreements (15.1.2)

Security of network services (13.1.2)

Agreements on information transfer (13.2.2)

Information and communication technology supply chain (15.1.3)

Monitoring and review of supplier services (15.2.1)

Managing changes to supplier services (15.2.2)

Outsourced development (14.2.7)

Information security policy for supplier relationships (15.1.1)

Related SP800-53 Controls

MITRE ATT&CK Techniques