NIST CSF: ID.SC-2 Subcategory

From NIST's Cyber Security Framework (version 1):

Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

CSF Mapped to SP800-53 Controls

Generated from NIST's SP800-53/CSF Crosswalk mappings.

Node
RA-3: Risk Assessment
SA-12: Supply Chain Protection
SA-15: Development Process, Standards, and Tools
SA-14: Criticality Analysis
RA-2: Security Categorization
PM-9: Risk Management Strategy

Related ISO 27001 Controls

Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.

  • Monitoring and review of supplier services (15.2.1)
    ISO 27001:2013
  • Managing changes to supplier services (15.2.2)
    ISO 27001:2013

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.

  • Prioritise Systems (4.2.3.6)
    ISA/IEC 62443-2-1:2009
  • Select a risk assessment methodology (4.2.3.1)
    ISA/IEC 62443-2-1:2009
  • Identify the industrial automation and control systems (4.2.3.4)
    ISA/IEC 62443-2-1:2009
  • Identify the reassessment frequency and triggering criteria (4.2.3.10)
    ISA/IEC 62443-2-1:2009
  • Conduct a detailed risk assessment (4.2.3.9)
    ISA/IEC 62443-2-1:2009
  • Maintain vulnerability assessment records (4.2.3.14)
    ISA/IEC 62443-2-1:2009
  • Document the Risk Assessment (4.2.3.13)
    ISA/IEC 62443-2-1:2009
  • Identify a detailed risk assessment methodology (4.2.3.8)
    ISA/IEC 62443-2-1:2009
  • Provide risk assessment background information (4.2.3.2)
    ISA/IEC 62443-2-1:2009
  • Conduct a high-level risk assessment (4.2.3.3)
    ISA/IEC 62443-2-1:2009
  • Conduct risk assessments throughout the lifecycle of the IACs (4.2.3.12)
    ISA/IEC 62443-2-1:2009

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.

ATT&CK ID Title Associated Tactics
T1528 Steal Application Access Token Credential Access
T1078.003 Local Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1552.001 Credentials In Files Credential Access
T1552.004 Private Keys Credential Access
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1213.003 Code Repositories Collection
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1574.002 DLL Side-Loading Defense Evasion, Persistence, Privilege Escalation
T1552.006 Group Policy Preferences Credential Access
T1078.001 Default Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1558.004 AS-REP Roasting Credential Access
T1552 Unsecured Credentials Credential Access
T1552.002 Credentials in Registry Credential Access

CSF Mapped to the NCSC CAF

Cyber Assessment Framework mappings generated from UK Cabinet Office data.

Control ID Name Description
A4.a Supply Chain The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.