NIST 800-53 SR-6 Mappings

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SR-6 Supplier Assessments and Reviews Protects T1059.002 AppleScript
SR-6 Supplier Assessments and Reviews Protects T1204.003 Malicious Image
SR-6 Supplier Assessments and Reviews Protects T1505 Server Software Component
SR-6 Supplier Assessments and Reviews Protects T1505.001 SQL Stored Procedures
SR-6 Supplier Assessments and Reviews Protects T1505.002 Transport Agent
SR-6 Supplier Assessments and Reviews Protects T1546.006 LC_LOAD_DYLIB Addition
SR-6 Supplier Assessments and Reviews Protects T1554 Compromise Client Software Binary
SR-6 Supplier Assessments and Reviews Protects T1601 Modify System Image
SR-6 Supplier Assessments and Reviews Protects T1601.001 Patch System Image
SR-6 Supplier Assessments and Reviews Protects T1601.002 Downgrade System Image