T7.8.4 - SUPPLY CHAIN OPERATIONS SECURITY Implementation Guidance
The entity shall employ security controls to protect supply chain operations.
Back toT7.8.4 - P4 - SUPPLY CHAIN OPERATIONS SECURITY
Supply chain information includes, for example: user identities; uses for information systems, information system components, and information system services; supplier identities; supplier processes; security requirements; design specifications; testing and evaluation results; and system/component configurations. This control enhancement expands the scope of operations security (OPSEC) to include suppliers and potential suppliers. OPSEC is a process of identifying critical information and subsequently analyzing friendly actions attendant to operations and other
activities to:
- A. Identify those actions that can be observed by potential adversaries
- B. Determine indicators that adversaries might obtain that could be interpreted or pieced together to derive critical information in sufficient time to cause harm to entities
- C. Implement controls or countermeasures to eliminate or reduce to an acceptable level, exploitable vulnerabilities
- D. Consider how aggregated information may compromise the confidentiality of users or uses of the supply chain
OPSEC may require entities to withhold critical mission/business information from suppliers and may include the use of intermediaries to hide the end use, or users, of information systems, system components, or information system services.
