T7.8.1 - SUPPLY CHAIN PROTECTION STRATEGY Implementation Guidance
The entity shall develop a comprehensive information security strategy against supply chain threats to the information assets.
Back to T7.8.1 - P4 - SUPPLY CHAIN PROTECTION STRATEGY
The use of acquisition and procurement processes by entities early in the system development life cycle provides an important vehicle to protect the supply chain. Entities use available all-source intelligence analysis to inform the tailoring of acquisition strategies, tools, and methods. There are a number of different tools and techniques available (e.g., obscuring the end use of an information system or system component, using blind or filtered buys). Entities also consider creating incentives for suppliers who:
- A. Implement required security controls
- B. Promote transparency into their organizational processes and security practices
- C. Provide additional vetting of the processes and security practices of subordinate suppliers, critical information system components, and services
- D. Restrict purchases from specific suppliers or countries
- E. Provide contract language regarding the prohibition of tainted or counterfeit components
In addition, entities consider minimizing the time between purchase decisions and required delivery to limit opportunities for adversaries to corrupt information system components or products. Finally, entities can use trusted/controlled distribution, delivery, and warehousing options to reduce supply chain risk (e.g., requiring tamper-evident packaging of information system components during shipping and warehousing).
