Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: SA-FAMILY: SYSTEM AND SERVICES ACQUISITION

SA-12(11) SUPPLY CHAIN PROTECTION | PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

sa-12(11)	supply chain protection \| penetration testing / analysis of elements, processes, and actors
	assessment objective: Determine if the organization:
	sa-12(11)[1]	defines supply chain:
		sa-12(11)[1][a]	elements to be analyzed and/or tested;
		sa-12(11)[1][b]	processes to be analyzed and/or tested;
		sa-12(11)[1][c]	actors to be analyzed and/or tested;
	sa-12(11)[2]	employs one or more of the following to analyze and/or test organization-defined supply chain elements, processes, and actors associated with the information system, system component, or information system service:
		sa-12(11)[2][a]	organizational analysis;
		sa-12(11)[2][b]	independent third party analysis;
		sa-12(11)[2][c]	organizational penetration testing; and/or
		sa-12(11)[2][d]	independent third-party penetration testing.
	potential assessment methods and objects: Examine: [select from: System and services acquisition policy; procedures addressing supply chain protection; evidence of organizational analysis, independent third-party analysis, organizational penetration testing, and/or independent third-party penetration testing; list of supply chain elements, processes, and actors (associated with the information system, system component, or information system service) subject to analysis and/or testing; other relevant documents or records]. Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities; organizational personnel with responsibilities for analyzing and/or testing supply chain elements, processes, and actors]. Test: [select from: Organizational processes for defining and employing methods of analysis/testing of supply chain elements, processes, and actors; automated mechanisms supporting and/or implementing the analysis/testing of supply chain elements, processes, and actors].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056