NIST CSF: ID.SC-2 Subcategory

From NIST's Cyber Security Framework (version 1):

Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

CSF Mapped to SP800-53 Controls

Generated from NIST's SP800-53/CSF Crosswalk mappings.

Search:

Node
RA-3: Risk Assessment
SA-12: Supply Chain Protection
SA-15: Development Process, Standards, and Tools
SA-14: Criticality Analysis
RA-2: Security Categorization
PM-9: Risk Management Strategy

Showing 1 to 6 of 6 entries

Related ISO 27001 Controls

Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.

Monitoring and review of supplier services (15.2.1)
ISO 27001:2013
Managing changes to supplier services (15.2.2)
ISO 27001:2013

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.

Prioritise Systems (4.2.3.6)
ISA/IEC 62443-2-1:2009
Select a risk assessment methodology (4.2.3.1)
ISA/IEC 62443-2-1:2009
Identify the industrial automation and control systems (4.2.3.4)
ISA/IEC 62443-2-1:2009
Identify the reassessment frequency and triggering criteria (4.2.3.10)
ISA/IEC 62443-2-1:2009
Conduct a detailed risk assessment (4.2.3.9)
ISA/IEC 62443-2-1:2009
Maintain vulnerability assessment records (4.2.3.14)
ISA/IEC 62443-2-1:2009
Document the Risk Assessment (4.2.3.13)
ISA/IEC 62443-2-1:2009
Identify a detailed risk assessment methodology (4.2.3.8)
ISA/IEC 62443-2-1:2009
Provide risk assessment background information (4.2.3.2)
ISA/IEC 62443-2-1:2009
Conduct a high-level risk assessment (4.2.3.3)
ISA/IEC 62443-2-1:2009
Conduct risk assessments throughout the lifecycle of the IACs (4.2.3.12)
ISA/IEC 62443-2-1:2009

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.

Search:

ATT&CK ID	Title	Associated Tactics
T1528	Steal Application Access Token	Credential Access
T1078.003	Local Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1552.001	Credentials In Files	Credential Access
T1552.004	Private Keys	Credential Access
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1213.003	Code Repositories	Collection
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
T1552.006	Group Policy Preferences	Credential Access
T1078.001	Default Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1558.004	AS-REP Roasting	Credential Access
T1552	Unsecured Credentials	Credential Access
T1552.002	Credentials in Registry	Credential Access

Showing 1 to 13 of 13 entries

CSF Mapped to the NCSC CAF

Cyber Assessment Framework mappings generated from UK Cabinet Office data.

Search:

Control ID	Name	Description
A4.a	Supply Chain	The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.

Showing 1 to 1 of 1 entries

NIST CSF: ID.SC-2 Subcategory

Cyber Threat Graph Context

CSF Mapped to SP800-53 Controls

Related ISO 27001 Controls

Monitoring and review of supplier services (15.2.1)

Managing changes to supplier services (15.2.2)

Related ISA/IEC 62443 Controls

Prioritise Systems (4.2.3.6)

Select a risk assessment methodology (4.2.3.1)

Identify the industrial automation and control systems (4.2.3.4)

Identify the reassessment frequency and triggering criteria (4.2.3.10)

Conduct a detailed risk assessment (4.2.3.9)

Maintain vulnerability assessment records (4.2.3.14)

Document the Risk Assessment (4.2.3.13)

Identify a detailed risk assessment methodology (4.2.3.8)

Provide risk assessment background information (4.2.3.2)

Conduct a high-level risk assessment (4.2.3.3)

Conduct risk assessments throughout the lifecycle of the IACs (4.2.3.12)

MITRE ATT&CK Techniques

CSF Mapped to the NCSC CAF