PL-8(2)—Supplier Diversity
>Control Description
Supplier diversity provides options for addressing information security and supply chain concerns. The enterprise should incorporate this control as it relates to suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers.
The enterprise should plan for the potential replacement of suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers in case one is no longer able to meet the enterprise’s requirements (e.g., company goes out of business or does not meet contractual obligations). Where applicable, contracts should be worded so that different parts can be replaced with a similar model with similar prices from a different manufacturer if certain events occur (e.g., obsolescence, poor performance, production issues, etc.).
Incorporate supplier diversity for off-the-shelf (commercial or government) components during acquisition security assessments. The evaluation of alternatives should include, for example, feature parity, interoperability, commodity components, and the ability to provide multiple delivery paths. For example, having the source code, build scripts, and tests for a software component could enable an enterprise to assign someone else to maintain it, if necessary.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.