>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC
Compare

IR-6 (03)Incident Reporting | Supply Chain Coordination

Moderate
High

>Control Description

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities.

Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IR-6(3) (Supply Chain Coordination)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IR-6(3)?
  • How frequently is the IR-6(3) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IR-6(3) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IR-6(3) requirements.
  • What automated tools, systems, or technologies are deployed to implement IR-6(3)?
  • How is IR-6(3) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IR-6(3) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IR-6(3)?
  • What audit logs, records, reports, or monitoring data validate IR-6(3) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IR-6(3) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IR-6(3) compliance?

Ask AI

Configure your API key to use AI features.