Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-12(5)

supply chain protection  | limitation of harm

assessment objective:

Determine if the organization:

sa-12(5)[1]

defines security safeguards to be employed to limit harm from potential adversaries identifying and targeting the organizational supply chain; and

sa-12(5)[2]

employs organization-defined security safeguards to limit harm from potential adversaries identifying and targeting the organizational supply chain.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; configuration management policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; procedures addressing the baseline configuration of the information system; configuration management plan; information system design documentation; information system architecture and associated configuration documentation; solicitation documentation; acquisition documentation; acquisition contracts for the information system, system component, or information system service; list of security safeguards to be taken to protect organizational supply chain against potential supply chain threats; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities].

Test: [select from: Organizational processes for defining and employing safeguards to limit harm from adversaries of the organizational supply chain; automated mechanisms supporting and/or implementing the definition and employment of safeguards to protect the organizational supply chain].