An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| SR-6 | Supplier Assessments and Reviews | Protects | T1059.002 | AppleScript |
| SR-6 | Supplier Assessments and Reviews | Protects | T1204.003 | Malicious Image |
| SR-6 | Supplier Assessments and Reviews | Protects | T1505 | Server Software Component |
| SR-6 | Supplier Assessments and Reviews | Protects | T1505.001 | SQL Stored Procedures |
| SR-6 | Supplier Assessments and Reviews | Protects | T1505.002 | Transport Agent |
| SR-6 | Supplier Assessments and Reviews | Protects | T1546.006 | LC_LOAD_DYLIB Addition |
| SR-6 | Supplier Assessments and Reviews | Protects | T1554 | Compromise Client Software Binary |
| SR-6 | Supplier Assessments and Reviews | Protects | T1601 | Modify System Image |
| SR-6 | Supplier Assessments and Reviews | Protects | T1601.001 | Patch System Image |
| SR-6 | Supplier Assessments and Reviews | Protects | T1601.002 | Downgrade System Image |