03.17.03.b—Supply Chain Requirements and Processes b
>Control Description
Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: ⚙organization-defined security requirements.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What are the organization-defined values/selections for the assignment/selection parameters in this control?
- •How were these organization-defined values determined based on risk assessment and operational needs?
- •Who approved the organization-defined values, and when were they last reviewed?
- •What governance oversight ensures this control requirement is consistently applied?
- •How do you track and monitor compliance with this control requirement?
Technical Implementation:
- •What technical mechanisms implement the requirement described in this control?
- •How do you technically enforce compliance with this control across all relevant systems?
- •What automated controls or tools support implementation of this requirement?
- •How do you prevent circumvention or bypass of the technical controls for this requirement?
- •What monitoring or alerting validates that technical controls are functioning as intended?
Evidence & Documentation:
- •Provide documented policies, procedures, or standards addressing this control requirement
- •Show technical configurations or settings that implement this control
- •Demonstrate that the control is actively enforced across CUI systems
- •Provide audit logs, reports, or other evidence showing this control in operation
- •Show evidence of periodic testing, validation, or review of this control's effectiveness
Ask AI
Configure your API key to use AI features.