myctrl.tools
Compare

PM-30Supply Chain Risk Management Strategy

>Control Description

a

Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;

b

Implement the supply chain risk management strategy consistently across the organization; and

c

Review and update the supply chain risk management strategy on organization-defined frequency or as required, to address organizational changes.

>Control Enhancements(1)

PM-30(1)

>Cross-Framework Mappings

NIST CSF 2.0

via NIST CSF 2.0 Concept Crosswalk
DE.AE-04
Compare
GV.OC-02
Compare
GV.OC-05
Compare
GV.OV-01
Compare
GV.OV-02
Compare
GV.RM-03
Compare
GV.RM-04
Compare
GV.RM-05
Compare
GV.RM-06
Compare
GV.RM-07
Compare
GV.SC-01
Compare
GV.SC-03
Compare
GV.SC-09
Compare
ID.RA-06
Compare

SCF

RSK-09
Compare

>Supplemental Guidance

An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans.

In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see SR-02) is implemented at the system level.

>Related Controls

CM-10
PM-9
SR-1
SR-2
SR-3
SR-4
SR-5
SR-6
SR-7
SR-8
SR-9
SR-11

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for developing and maintaining privacy communications and procedures for obtaining individual consent?
  • How does the organization ensure consent is informed, specific, and freely given?
  • Who reviews and approves consent mechanisms and procedures?
  • What process exists for individuals to withdraw consent?
  • What governance exists for managing and documenting individual consent?

Technical Implementation:

  • What consent management platforms or tools are used?
  • How is individual consent captured, recorded, and maintained?
  • What technical mechanisms enforce consent preferences?
  • How can individuals view and manage their consent status?
  • What audit trails exist for consent activities?

Evidence & Documentation:

  • Provide consent management procedures and mechanisms.
  • Provide evidence of individual consent capture and documentation.
  • Provide records of consent preferences and updates.
  • Provide documentation of consent withdrawal processes and instances.
  • Provide audit logs of consent activities.

Ask AI

Configure your API key to use AI features.