>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC
Compare

GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

>Control Description

This cybersecurity supply chain risk management subcategory ensures that supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle. Key activities include: Policies and procedures require provenance records for all acquired technology products and services; Periodically provide risk reporting to leaders about how acquired components are proven to be untampered and authentic; Communicate regularly among cybersecurity risk managers and operations personnel about the need to acquire software patches, updates, and upgrades ....

>Cross-Framework Mappings

NIST SP 800-53 r5

via NIST CSF 2.0 Concept Crosswalk
PM-09
Compare
PM-19
Compare
PM-28
Compare
PM-30
Compare
PM-31
Compare
RA-03
Compare
RA-07
Compare
SA-04
Compare
SA-09
Compare
SR-02
Compare
SR-03
Compare
SR-05
Compare
SR-06
Compare

PCI DSS v4.0.1

via NIST OLIR Catalog
11.6.1
Compare
12.3.4
Compare
12.8.1
Compare
12.8.4
Compare
12.8.5
Compare
6.2.3
Compare
6.3.1
Compare
6.3.2
Compare
6.3.3
Compare
6.4.3
Compare
9.5.1.1
Compare
9.5.1.2
Compare
9.5.1.2.1
Compare

ISO 27001:2022

via NIST OLIR Catalog
5.19
Compare
5.20
Compare
5.21
Compare
5.22
Compare

CIS Controls v8

15.6
Compare

SCF

GOV-01
Compare
GOV-01.1
Compare
GOV-01.2
Compare
GOV-05
Compare
PRM-07
Compare
RSK-01
Compare
RSK-09
Compare
RSK-09.1
Compare
SEA-07.1
Compare
TDA-01.1
Compare

>Informative References

Official NIST mappings to external frameworks and standards. Source: NIST CSF 2.0

CCMv4.0

STA-11
STA-12

CIS Controls v8.0

15.6

CIS Controls v8.1

15.6

CRI Profile v2.0

GV.SC-09
GV.SC-09.01

CSF v1.1

ID.SC-1

CoP

A4

ISO/IEC 27001:2022

Mandatory Clause: 6.1.1
Mandatory Clause: 6.1.2
Annex A Controls: 5.19
Annex A Controls: 5.20
Annex A Controls: 5.21
Annex A Controls: 5.22

NICE Framework

DD-WRL-001
OG-WRL-002
OG-WRL-009
OG-WRL-012
OG-WRL-015
OG-WRL-016

PCI DSS

6.4.3
9.5.1.1
9.5.1.2
9.5.1.2.1
6.3.1
6.3.3
11.6.1
6.2.3
+5 more

SCF

GOV-01
GOV-05
PRM-07
RSK-01
RSK-09
RSK-09.1
SEA-07.1
TDA-01.1

SP 800-171 Rev 3

03.11.01
03.11.04
03.16.03
03.17.01
03.17.02
03.17.03

SP 800-221A

GV.PO-1

SP 800-53 Rev 5.1.1

PM-09
PM-19
PM-28
PM-30
PM-31
RA-03
RA-07
SA-04
+5 more

SP 800-53 Rev 5.2.0

PM-09
PM-19
PM-28
PM-30
PM-31
RA-03
RA-07
SA-04
+5 more

SP-800-37 Rev 2

RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
RMF Prepare Step (Organization & Mission/Business Levels): TASK P-7 Continuous Monitoring Strategy—O

Ask AI

Configure your API key to use AI features.