CAF Outcome A4.a: Supply Chain
From the UK NCSC's Cyber Assessment Framework (version 3.1):
The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
A4.a: Supply Chain to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| ID.SC-4 | Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. |
| RS.MI-1 | Incidents are contained |
| RS.CO-4 | Coordination with stakeholders occurs consistent with response plans |
| ID.RA-4 | Potential business impacts and likelihoods are identified |
| PR.AC-3 | Remote access is managed |
| RS.MI-2 | Incidents are mitigated |
| ID.SC-2 | Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process |
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed |
| PR.AT-2 | Privileged users understand their roles and responsibilities |
| DE.DP-4 | Event detection information is communicated |
| RS.CO-3 | Information is shared consistent with response plans |
| ID.SC-5 | Response and recovery planning and testing are conducted with suppliers and third-party providers |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
| DE.DP-1 | Roles and responsibilities for detection are well defined to ensure accountability |
| ID.GV-2 | Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners |
| ID.AM-6 | Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established |
| RS.CO-1 | Personnel know their roles and order of operations when a response is needed |
| ID.BE-1 | The organization’s role in the supply chain is identified and communicated |
| ID.SC-1 | Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders |
| ID.AM-3 | Organizational communication and data flows are mapped |
| ID.SC-3 | Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. |
| PR.AT-3 | Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities |
| PR.MA-2 | Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Addressing security within supplier agreements (15.1.2)
ISO 27001:2013 -
Security of network services (13.1.2)
ISO 27001:2013 -
Agreements on information transfer (13.2.2)
ISO 27001:2013 -
Information and communication technology supply chain (15.1.3)
ISO 27001:2013 -
Monitoring and review of supplier services (15.2.1)
ISO 27001:2013 -
Managing changes to supplier services (15.2.2)
ISO 27001:2013 -
Outsourced development (14.2.7)
ISO 27001:2013 -
Information security policy for supplier relationships (15.1.1)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1550.002 | Pass the Hash | Defense Evasion, Lateral Movement |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1546.011 | Application Shimming | Persistence, Privilege Escalation |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |