Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-12

supply chain protection

assessment objective:

Determine if the organization:

sa-12[1]

defines security safeguards to be employed to protect against supply chain threats to the information system, system component, or information system service; and

sa-12[2]

protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; list of supply chain threats; list of security safeguards to be taken against supply chain threats; system development life cycle documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities].

Test: [select from: Organizational processes for defining safeguards for and protecting against supply chain threats; automated mechanisms supporting and/or implementing safeguards for supply chain threats].