GV.SC-01 Supply Chain Risk Management - NIST CSF 2.0 Checklist

GV.SC-01 requires organizations to a cybersecurity supply chain risk management program is established and resourced. This NIST CSF 2.0 control falls under the Govern (GV) function and the Supply Chain Risk Management category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: GV.SC-01
Title: Supply Chain Risk Management
Function: Govern (GV)
Category: Supply Chain Risk Management
Framework: NIST CSF 2.0

A cybersecurity supply chain risk management program is established and resourced.

A cybersecurity supply chain risk management program is established and resourced. The organization identifies and manages cybersecurity risks associated with suppliers, service providers and third-party technology components.

Why This Matters

Supply chain compromises account for a growing percentage of breaches. Without a formal program, organizations inherit the security weaknesses of every vendor and dependency they rely on.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of GV.SC-01.

Establish a formal supply chain risk management program
Maintain an inventory of all critical suppliers and third-party services
Require cybersecurity due diligence during vendor selection
Include cybersecurity requirements in all vendor contracts
Monitor supplier cybersecurity posture on an ongoing basis
Define incident notification requirements for suppliers

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with GV.SC-01 during an audit.

Supply chain risk management policy or program charter
Critical supplier inventory with risk ratings
Vendor security questionnaires and assessment results
Contract clauses requiring security standards and breach notification
Third-party risk monitoring reports or dashboards

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with GV.SC-01.

No formal supplier inventory exists beyond accounts payable records
Vendor contracts lack cybersecurity requirements or breach notification clauses
Third-party risk assessments are performed at onboarding but never repeated

FAQ

What does GV.SC-01 require?

GV.SC-01 (Supply Chain Risk Management) requires that a cybersecurity supply chain risk management program is established and resourced. The organization identifies and manages cybersecurity risks associated with suppliers, service providers and third-party technology components. This control is part of the NIST CSF 2.0 Govern function under the Supply Chain Risk Management category.

How do I prove compliance with GV.SC-01?

To demonstrate compliance with GV.SC-01, prepare the following evidence: Supply chain risk management policy or program charter; Critical supplier inventory with risk ratings; Vendor security questionnaires and assessment results. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment