NIST CSF: ID.SC-3 Subcategory
From NIST's Cyber Security Framework (version 1):
Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Information security policy for supplier relationships (15.1.1)
ISO 27001:2013 -
Addressing security within supplier agreements (15.1.2)
ISO 27001:2013 -
Information and communication technology supply chain (15.1.3)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Define cyber security policies and procedure compliance requirements (4.3.2.6.4)
ISA/IEC 62443-2-1:2009 -
Review and update the cyber security policies and procedures (4.3.2.6.7)
ISA/IEC 62443-2-1:2009
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1647 | Plist File Modification | Defense Evasion |
| T1505 | Server Software Component | Persistence |
| T1601.001 | Patch System Image | Defense Evasion |
| T1552 | Unsecured Credentials | Credential Access |
| T1553.006 | Code Signing Policy Modification | Defense Evasion |
| T1601 | Modify System Image | Defense Evasion |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1559.003 | XPC Services | Execution |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1552.001 | Credentials In Files | Credential Access |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1552.004 | Private Keys | Credential Access |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1612 | Build Image on Host | Defense Evasion |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1195.003 | Compromise Hardware Supply Chain | Initial Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1505.004 | IIS Components | Persistence |
| T1213.003 | Code Repositories | Collection |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1505.002 | Transport Agent | Persistence |
| T1495 | Firmware Corruption | Impact |
| T1552.002 | Credentials in Registry | Credential Access |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1567 | Exfiltration Over Web Service | Exfiltration |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| A4.a | Supply Chain | The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used. |