Cybersecurity Supply Chain Risk Management C-SCRM Template

_note.md

This is a markdown conversion of CISA's Cybersecurity Supply Chain Risk Management C-SCRM Template

Please comment for any fixes/grammatical issues

C-SCRM-Template.md

1. QUALIFYING QUESTIONS

Note

If you can provide affirmative responses to the questions below AND supporting, non-expired documentation, you may skip ALL remaining questions.

1.1. Have you previously provided supply chain risk management information to this organization?

Note

If ‘Yes,’ please provide an updated revision covering material changes.

1.2 Do you have controls fully aligned to NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organization?

1.2.1. Please provide proof of the scope of controls implemented and how controls were validated

1.2.2. Provide any additional supporting documentation of relevant and current third-party assessments or certification for supply chain risk management, such as ANSI/ASIS SCRM 1.2014, 1ISO 28000:2007, 1ISO 31000, ISO 20243, etc

Note

If you responded affirmatively to ANY of the questions above, you may attach supporting documentation, skip the remaining questions, and continue to the signature page.

2. SUPPLY CHAIN MANAGEMENT AND SUPPLIER GOVERNANCE

General

2.1 Do you have policies to ensure timely notification of updated risk management information previously provided to us?

Warning

[Yes, No, Alternate, or N/A]

2.1.1. How do you notify us of changes?

2.1.2. What is your customer notification policy?

Information Communications Technology (ICT) Supply Chain Management

2.2 Do you have a documented Quality Management System (QMS) for your ICT supply chain operation based on an industry standard or framework?

Warning

[Yes, No, Alternate, or N/A]

2.2.1. Please provide the document which describes your QMS, including any standards or frameworks to which it is aligned

2.3 Do you have an organization-wide strategy for managing end-to-end supply chain risks (from development, acquisition, life cycle support, and disposal of systems, system components, and to system services)?

Warning

[Yes, No, Alternate, or N/A]

2.3.1. What is your strategy?

2.3.2. How have you implemented it?

Authentication and Provenance

2.4. Do you have a policy or process to ensure that none of your suppliers or third-party components are on any banned list?

Warning

[Yes, No, Alternate, or N/A]

2.5 Do you provide a bill of materials (BOM) for your products, services, and components which includes all logic-bearing (e.g., readable/writable/programmable) hardware, firmware, and software?

Warning

[Yes, No, Alternate, or N/A]

2.5.1. If you provide a BOM that does not include all logic-bearing hardware, firmware, and software, what does your BOM include?

2.5.2. Upon request, are you able to provide your BOM including all logic-bearing hardware, firmware, and software?

2.5.3. How do you track changes in your products, services,and components and how do you reflect those changes in the applicable BOM(s)?

2.6 For hardware components included in the product offering, do you only buy from original equipment manufacturers or licensed resellers?

Warning

[Yes, No, Alternate, or N/A]

2.7 Do you have a process for tracking and tracing your product while in development and manufacturing?

Warning

[Yes, No, Alternate, or N/A]

2.7.1. How do you keep track of your chain of custody?

2.7.2. How do you track and trace components within your product?

Supplier Governance

2.8 Do you have written Supply Chain Risk Management (SCRM) requirements in your contracts with your suppliers?

Warning

[Yes, No, Alternate, or N/A]

2.8.1. What are your SCRM requirements?

2.8.2. How do you verify that your suppliers are meeting contractual terms and conditions which may include requirements to be passed down to sub-suppliers?

2.8.3. If violations of contractual SCRM requirements or SCRM-related incidents occur, do you ensure and monitor any remediation activities?

2.9 Do you revise your written SCRM requirements regularly to include needed provisions?

2.10 Do you have policies for your suppliers to notify you when there are changes to their subcontractors or their offerings (components, products, services, or support activities)?

Warning

[Yes, No, Alternate, or N/A]

2.10.1. Please describe your policy

3. SECURE DESIGN AND ENGINEERING

Note

If your answer to the question below is ‘Yes,” please continue and complete the remaining questions in this section. If your answer is ‘No,” you may skip the remainder of this section and move on to the next section of this questionnaire.

3.1 Does your organization develop (or integrate) custom hardware or software offerings?

Warning

[Yes, No, Alternative]

3.1.1. List the custom software, hardware, system, or solution offering(s) provided by your organization

Product Offering Lifecycle Management and Organization

3.2 Do you implement formal organizational roles and governance responsible for the implementation and oversight of Secure Engineering across the development or manufacturing process for product offerings?

Warning

[Yes, No, Alternate, or N/A]

3.2.1. If so, how are roles, responsibilities, and practices validated?

3.3 What security control framework (industry or customized) is used to define product offering security capabilities?

Warning

Please describe or "N/A"

3.4 Does your organization document and communicate security control requirements for your hardware, software, or solution offering?

Warning

[Yes, No, Alternate, or N/A]

3.4.1. How are security requirements validated as part of the product offering development or manufacturing process?

3.5 How does your organization implement development and manufacturing automation to enforce lifecycle processes and practices?

Protect IP and Product (Supplier) Offering Assets

3.6 Does your organization protect all forms of code from unauthorized access and tampering, including patch updates?

Warning

[Yes, No, Alternate, or N/A]

3.6.1. How does your organization prevent unauthorized changes to code, both inadvertent and intentional, which could circumvent negate the intended security characteristics of the software?

3.7 Does your organization provide a mechanism for verifying software release integrity, including patch updates for your software product offering?

Warning

[Yes, No, Alternate, or N/A]

3.8 How does your organization prevent malicious and/or counterfeit IP components within your product offering or solution?

3.9 Does your organization manage the integrity of IP for its product offering?

Warning

[Yes, No, Alternate, or N/A]

3.9.1. How does your organization archive assets associated with the product offering development or manufacturing process?

Secure Coding and Manufacturing Practices

3.10 Does your organization define, follow, and validate secure coding and manufacturing practices to mitigate security risks?

Warning

[Yes, No, Alternate, or N/A]

3.10.1. How does your organization conduct threat modeling to determine required product offering security requirements?

3.10.2. How does your organization determine how identified risks are mitigated in product offering design?

3.10.3. How does your organization justify risk-based decisions to relax or waive security requirements or controls?

3.10.4. How does your organization validate that the offering will meet the security requirements and satisfactorily address the identified threat assessment?

3.11 Does your organization verify that third-party software provides required security requirements/controls?

Warning

[Yes, No, Alternate, or N/A]

3.11.1. How does your organization reduce the risk associated with using acquired software modules and services, which are potential sources of additional vulnerabilities?

3.12 Does your organization reuse existing, well-secured software and hardware components, when feasible, instead of duplicating functionality?

Warning

[Yes, No, Alternate, or N/A]

3.13 Does your organization configure the compilation and build processes to improve executable security?

Warning

[Yes, No, Alternate, or N/A]

3.13.1. How does your organization decrease the number of security vulnerabilities in the software and reduce costs by eliminating vulnerabilities before testing occurs?

3.14 Does your organization implement formal vulnerability and weakness analysis practices?

3.14.1. Does your organization automate the identification of security vulnerabilities and weaknesses?

3.14.2. Does your organization test executable code or components to identify vulnerabilities and verify compliance with security requirements?

3.15 Does your organization configure offerings to implement secure settings by default?

Warning

[Yes, No, Alternate, or N/A]

3.15.1. Does your organization test offerings using hardened runtime environments?

Warning

[Yes, No, Alternate, or N/A]

Respond to Vulnerabilities (RV)

3.16 Does your organization maintain and manage a Product Security Incident Reporting and Response program (PSRT)?

Warning

[Yes, No, Alternate, or N/A]

3.16.1. How does your organization assess, prioritize, and remediate reported vulnerabilities?

3.16.2. How does your organization ensure that vulnerabilities are remediated in a timely period, reducing the window of opportunity for attackers?

3.17 Does your organization analyze vulnerabilities to identify root cause?

Warning

[Yes, No, Alternate, or N/A]

3.17.1. Are vulnerability root causes used as input to update secure development process tools, and training to lower future vulnerabilities?

4. INFORMATION SECURITY

4.1 Do you hold a valid information security/cybersecurity third-party attestation or certification? (e.g.,1SO 27001, SOC 2 Type 2, CMMC Level 3-5, Cybersecurity Maturity Assessment, etc.)

Note

If yes, please state the program and date that you were certified, and provide a copy of the certification. You may skip the remaining questions of this section and proceed to the following section. If no, continue.

4.2 Do you follow operational standards or frameworks for managing Information Security/Cyber security? (e.g., NIST CSF 1.1, NIST 800-37, Rev. 2, NIST SP 800-161, ISO IEC 27001, ISO 20243, 1SO 27036, SAE AS649)

Warning

[Yes, No, Alternate, or N/A]

4.2.1. If so, please state which one(s)?

4.3 Do you have company-wide, publicly available information security policies in place covering privacy policies?

Warning

[Yes, No, Alternate, or N/A]

4.3.1. If ‘Yes’, please provide

4.3.2. What mechanisms are in place to ensure your policies are enforced within your supply chain?

4.3.2.1. Do you receive notification of and have a response plan in place for privacy violations of the suppliers in your supply chain?

Asset Management

4.4 Do you inventory and audit back-up and/or replacement hardware and software assets to ensure their accountability and integrity?

Warning

[Yes, No, Alternate, or N/A]

4.4.1. What recognized standards or frameworks do you follow to ensure integrity of back-up assets? (e.g., NIST 800-53, NIST 800- 171 DFARS, ISA/IEC 62443 or ISO 27001/2)

4.5 Do you have a defined governance scope for asset management, including line of business technology, facilities, devices, and all other data- generating hardware (like Internet of Things devices)?

Warning

[Yes, No, Alternate, or N/A]

4.6 Do you have processes or procedures in place to ensure that devices and software installed by users external to your IT department (e.g., line of business personnel) are being discovered, properly secured, and managed?

Warning

[Yes, No, Alternate, or N/A]

4.6.1. What, if any, types of assets are out of scope for your tracking procedures?

4.7 Do you have an asset management program approved by management for your IT assets that is regularly maintained?

Warning

[Yes, No, Alternate, or N/A]

4.7.1. What are your methods to manage IT assets on the network?

4.7.1.1. How do you manage other IT hardware and software assets which are not network connected, regardless of network presence?

4.7.2. What are your methods of verifying acceptable use of assets, including verified asset return, for your network-connected assets?

4.8 Do you have documented policies or procedures to manage enterprise network-connectable assets throughout their lifecycle?

Warning

[Yes, No, Alternate, or N/A]

4.8.1. What are your processes to manage obsolescence of network-connected assets?

4.8.2. What are your policies or procedures to ensure your enterprise software platforms and applications, and hardware assets, are classified according to their criticality?

4.8.3. What are your policies or procedures to ensure appropriate controls are in place for internal or third-party cloud services?

4.9 Do you ensure that you are not sourcing assets on a banned list to customers (e.g., ITAR, NDAA Section 889)?

Warning

[Yes, No, Alternate, or N/A]

4.9.1. How do you ensure that you are not providing assets on a banned list to customers?

4.10 Do you have documented hardware and software policies and practices in place to ensure asset integrity?

Warning

[Yes, No, Alternate, or N/A]

4.10.1. What recognized standards or frameworks are followed to ensure asset integrity?

4.10.1.1. How do you ensure that regular reviews and updates of the asset integrity policies and practices are performed?

Identify

4.11 Do you have documented policies or procedures for identification and detection of cyber threats?

Warning

[Yes, No, Alternate, or N/A]

4.11.1. What processes do you have in place to promptly detect cyber threats?

4.11.1.1. How do you manage the identification of threats within your supply chain, including suppliers and sub-contractors?

4.11.1.2. What processes are in place to act upon external credible cyber security threat information received?

4.12 Do you address the interaction of cybersecurity operational elements (e.g., SOC, CSIRT, etc.) with the physical security operational elements protecting the organization’s physical assets?

4.12.1. How do you ensure that physical security incidents and suspicious events are escalated to cybersecurity operations staff?

4.12.2. Are cybersecurity vulnerabilities for industrial control systems, including physical access controls and video monitoring systems, tracked?

4.12.3. What standards or frameworks are followed for management of IT and OT system interactions?

Warning

[Yes, No, Alternate, or N/A]

4.13 Do you have a policy or procedure for the handling of information that is consistent with its classification?

Warning

[Yes, No, Alternate, or N/A]

4.13.1. What is your process to verify that information is classified according to legal regulatory, or internal sensitivity requirements?

4.13.1.1. How do you convey requirements for data retention, destruction, and encryption to your suppliers?

4.14 Do you have documented policies or procedures for internal identification and management of vulnerabilities within your networks and enterprise systems?

Warning

[Yes, No, Alternate, or N/A]

4.14.1. What industry standards or frameworks are followed for vulnerability management

4.14.1.1. How do you identify vulnerabilities in your supply chain (suppliers/sub- contractors) before they pose a risk to your organization?

4.14.1.2. How do you assess and prioritize the mitigation of vulnerabilities discovered on your internal networks and systems? (e.g., asset criticality, exploitability, severity, etc.)

Protect

4.15 Do you have network access control policies and procedures in place for your information systems that are aligned with industry standards or control frameworks?

Warning

[Yes, No, Alternate, or N/A]

4.15.1. If Yes, please list any standards or frameworks used

4.15.2. What are your practices for items such as federation, privileged users, and role-based access control for end-user devices?

4.15.2.1. How do you ensure remote access is managed for end-user devices or employees and suppliers, including deactivation of accounts? (e.g. Multi-factor authorization, encryption, protection from malware, etc.)

4.15.2.2. How do you identify and correct end-user systems that fall out of compliance?

4.16 Is cybersecurity training required for personnel who have administrative rights to your enterprise computing resources?

Warning

[Yes, No, Alternate, or N/A]

4.16.1. What is the frequency for verifying personnel training compliance?

4.16.2. What cybersecurity training is required for your third-party stakeholders (e.g suppliers, customers, partners, etc.) who have network access?

4.16.2.1. How is training compliance tracked for third parties with network access? management?

4.17 Do you include contractual obligations to protect information and information systems handled by your suppliers?

Warning

[Yes, No, Alternate, or N/A]

4.17.1. What standard cybersecurity standards or frameworks are the contractual supplier terms for information protection aligned to, if any?

4.18 Do you have an organizational policy on the use of encryption that conforms with industry standards or control frameworks?

Warning

[Yes, No, Alternate, or N/A]

4.18.1. What industry standards or controls frameworks are followed for encryption and key

4.18.2. What processes or procedures exist to comprehensively manage the use of encryption keys?

4.18.2.1. What is your process for protecting data at rest and in transit?

4.19 Does your organization have hardening standards in place for network devices (e.g., wireless access points, firewalls, etc.)?

Warning

[Yes, No, Alternate, or N/A]

4.19.1. What protections exist to provide network segregation where appropriate (e.g intrusion detection systems)?

4.19.2. What controls exist to continuously monitor changes to your network architecture (e.g., NIST 800-53 or related controls)?

4.19.3. How do you manage prioritization and mitigation of threats discovered on your networks?

4.19.4. How do you track changes to software versions on your servers?

4.20 Do you follow an industry standard or framework for your internal or third- party cloud deployments, if applicable?

Warning

[Yes, No, Alternate, or N/A]

4.20.1. What protections are in place between your network and cloud service providers?

4.20.1.1. How to do you convey cloud security requirements to your suppliers/sub-contractors?

Detect

4.21 Do you have defined and documented incident detection practices that outline which actions should be taken in the case of an information security or cybersecurity event?

Warning

[Yes, No, Alternate, or N/A]

4.21.1. Are cybersecurity events centrally logged, tracked, and continuously monitored?

4.21.2. Are incident detection practices continuously improved?

4.22 Do you require vulnerability scanning of software running within your enterprise prior to acceptance?

Warning

[Yes, No, Alternate, or N/A]

4.22.1. What procedures or policies exist, if any, for detecting vulnerabilities in externally obtained software (such as penetration testing of enterprise and non-enterprise software)?

4.22.2. What are your procedures to scan for vulnerabilities in supplier-provided software running on your network?

4.23 Do you manage updates, version tracking of new releases, and patches (including patching history) for your software and software services offerings?

Warning

[Yes, No, Alternate, or N/A]

4.23.1. What is the responsibility of the product end-user (customer) for updating software versions?

4.24 Do you deploy anti-malware software?

Warning

[Yes, No, Alternate, or N/A]

4.24.1. What systems are out of scope for anti-malware software compliance, if any?

4.24.1.1. How do you ensure anti-malware is present on developer platforms? As applicable to your offering?

Respond & Recover

4.25 Do you have a documented incident response process and a dedicated incident response team (CSIRT - Computer Security Incident Response Team)?

Warning

[Yes, No, Alternate, or N/A]

4.25.1. What is your process for reviewing and exercising your resiliency plan?

4.25.2. What is your process to ensure customers and external entities (such as government agencies) are notified of an incident when their product or service is impacted?

4.26 Do you have processes or procedures to recover full functionality, including integrity verification, following a major cybersecurity incident?

Warning

[Yes, No, Alternate, or N/A]

4.26.1. What is the frequency for testing of back-up media?

4.27 Do you insure for financial harm from a major cybersecurity incident (e.g., self-insure, third-party, parent company, etc.)?

Warning

[Yes, No, Alternate, or N/A]

4.27.1. Does coverage include financial harm to your customers resulting from a cybersecurity breach which has impacted your company?

5. PHYSICAL SECURITY

5.1 Is the entity (organization, operational unit, facility, etc.) currently covered by an unrestricted/unlimited National Industrial Security Program (NISP) Facility Clearance (FCL) or a related U.S. government program such as C- TPAT that certifies the entity as meeting appropriate physical security standards?

Note

If ‘Yes,’ please state the program that certified you and date of last certification. You may skip the remaining questions of this section and proceed to the next section. If not, continue with this section.

5.1.1. If the entity is not covered by a NISP FCL but currently has some other US Government or industry attestation, such as TAPA FSR of meeting a physical security code or standard, please identify the standard, the issuing agency, and the most recent date of certification

5.1.2. Is the entity covered by a limited FCL (in agreement with a foreign government)? Describe

5.2 Do you have documented security policies and procedures that address the control of physical access to cyber assets (network devices, data facilities, patch panels, industrial control systems, programmable logic, etc.)?

Warning

[Yes, No, Alternate, or N/A]

5.2.1. To what standards/controls do you adhere? (e.g., NIST publication, ISO, UL, etc.)

5.2.1.1. How often do you review and update to those policies and procedures and what is the most recent review?

5.2.1.2. If needed, can you provide these documents for our review?

5.3 Do you have documented policies addressing staff training which includes procedures to limit physical access to cyber assets to only those with demonstrated need?

Warning

[Yes, No, Alternate, or N/A]

5.3.1. What training do all staff receive to address potential physical security threats and how to respond to emergencies (e.g., fire, weather, etc.)?

5.3.2. What training do cybersecurity staff, physical security staff, and contractors with at least limited access to sensitive areas of a facility receive?

5.3.2.1. How does this training address potential threats to the facility and how the physical access controls are integrated with system network interfaces?

5.3.3. What standards do you follow, or did you implement (e.g., NIST publication, SO, UL etc.)?

5.3.3.1. How is this training documented?

5.4 Do you have a documented Security Incident Response process covering physical security incidents? (e.g., potential intruder access, missing equipment, etc.)

Warning

[Yes, No, Alternate, or N/A]

5.4.1. What processes do you have in place to document the actions taken during and after an actual or suspected physical security incidents (e.g., security log, formal report to management, police report, etc.)?

5.4.1.1. How do you ensure that your staff understands and complies with procedures (e.g., training, exercises, and actual cases of incident response)?

5.5 For facilities that use an independent contractor for physical security, are physical facilities security policy and procedures incorporated into service level agreements, contracts, policies, regulatory practices?

Warning

[Yes, No, Alternate, or N/A]

5.5.1. What physical / facilities security policies and practices are subject to audit?

5.5.2. For contractors who have access to a critical facility, sensitive assets, or major physical plant systems, what standards are they required to attest to? (e.g., NIST publication, I1SO, UL, etc.)

5.5.2.1. How is compliance with these standards validated?

5.6 Are there enforcement mechanisms (e.g., sanctions, response procedures, technology) for unauthorized physical access to mission/business critical information, functions, services and assets?

Warning

[Yes, No, Alternate, or N/A]

5.6.1. What type of action or response would be taken for unauthorized physical access to sensitive cyber assets?

5.7 Do you have evidence that physical security mechanisms are effective and adequate to protect assets? Evidence could include third-party assessment, self-assessment, records of actions taken to enforce rules, etc

Warning

[Yes, No, Alternate, or N/A]

5.7.1. What is the date of the last review and update to your enforcement strategy?

Physical Security In-transit

5.8 Do you utilize a controlled bill of materials (BOM) or similar capability to protect assets that are being received, in process, or in-transit?

Warning

[Yes, No, Alternate, or N/A]

5.8.1. What industry standards or frameworks are followed?

5.9 Do you have requirements that all items being shipped have tamper-evident packaging?

Warning

[Yes, No, Alternate, or N/A]

5.9.1. What industry standards or frameworks are being followed to ensure packaging is tamper-evident?

5.9.1.1. How are these requirements audited to ensure that they are effective?

5.10 Do you have processes in place to prevent counterfeit parts from entering your supply chain?

Warning

[Yes, No, Alternate, or N/A]

5.10.1. What requirements, if any, are in place to ensure the use of Original Equipment Manufacturer (OEM) or Authorized Distributors for all key components?

5.10.2. What are your processes for the detection and disposition of counterfeit electronic components?

5.10.2.1. How do you pass on counterfeit prevention requirements to your third-party suppliers?

6. PERSONNEL SECURITY

6.1 Does a formal personnel security program exist?

Warning

[Yes, No, Alternate, or N/A]

6.1.1. Is employee access managed by role?

6.1.2. Is access to business-critical systems, manufacturing facilities, and assets formally managed and maintained? Please describe

6.1.3. Are physical security practices formally governed, documented, maintained, and enforced?

Onboarding

6.2 Do you have a process for onboarding personnel?

Warning

[Yes, No, Alternate, or N/A]

6.2.1. Does the process include security awareness training?

6.2.2. What is the process to determine the level of access to company identifications (IDs), tokens, documents, applications, etc.?

6.2.4. Is the onboarding process documented?

6.2.4.1. If ‘Yes’, please provide a copy

6.2.3. What is the process to distribute company assets?

6.3 Do you have policies for conducting background checks of your employees as permitted by the country in which you operate?

Warning

[Yes, No, Alternate, or N/A]

6.3.1. If not permitted by the country, please note that and provide the part of your supply chain for which it is applicable

6.3.2. How do you conduct the background checks and document, validate, and update their responses?

6.4 Do you have policies for conducting background checks for your suppliers, as permitted by the country in which you operate?

Warning

[Yes, No, Alternate, or N/A]

6.4.1. If not permitted by the country, please note that and provide the part of your supply chain for which it is applicable

6.4.2. How do you conduct the background checks and document, validate, and update their responses?

6.5 Do you have policies for conducting background checks for any subcontractors, as permitted by the country in which you operate?

Warning

[Yes, No, Alternate, or N/A]

6.5.1. If not permitted by the country, please note that and provide the part of your supply chain for which it is applicable

6.5.2. How do you conduct the background checks and document, validate, and update their responses?

Offboarding

6.6 Do you have a process for offboarding personnel?

Warning

[Yes, No, Alternate, or N/A]

6.6.1. Does the process include a process to transfer knowledge to other personnel?

6.6.2. What is the process to remove access to all company documents, applications, assets, etc.?

6.6.3. What is the process to recover all company assets?

6.6.4. Is that process documented?

Awareness and Training (Security-Specific)

6.7 Are personnel security practices formally documented and accessible to all employees?

Warning

[Yes, No, Alternate, or N/A]

6.8 Are Personnel Security practices routinely enforced, audited,and updated?

Warning

[Yes, No, Alternate, or N/A]

6.9 Are personnel required to complete formal SCRM training annually?

Warning

[Yes, No, Alternate, or N/A]

6.10 Are all personnel trained in security best practices? This includes, but is not limited to, insider threats, access control, and data protection

Warning

[Yes, No, Alternate, or N/A]

6.11 Is there additional security training provided to users with elevated privileges?

Warning

[Yes, No, Alternate, or N/A]

6.12 Are you aware of security training practices performed by your sub-suppliers to their personnel?

Warning

[Yes, No, Alternate, or N/A]

6.12.1. If ‘Yes’, does it align with your security practices?

6.13 Do you have a Code of Conduct for your employees, suppliers and subcontractors?

Warning

[Yes, No, Alternate, or N/A]

6.13.1. Is the Code of Conduct always available and visible to your employees, suppliers and subcontractors?

6.13.2. How [regularly or often] is this Code of Conduct updated? Please describe the frequency

6.13.3. Do you have personnel designated to address questions or violations to the Code of Conduct?

6.13.4. Are these employees, suppliers, and subcontractors trained on the Code of Conduct, including privacy and confidentiality requirements, as required by your industry?

7. SUPPLY CHAIN INTEGRITY

7.1 Do your processes for product integrity conform to any of the following standards (e.g.,1SO 27036, SAE AS6171, etc.)?

Warning

[Yes, No, Alternate, or N/A]

7.2 Do you control the integrity of your hardware/software (HW/SW) development practices by using Secure Development Lifecycle practices?

Warning

[Yes, No, Alternate, or N/A]

7.2.1. How do you manage the conformance of your third parties to your procedures?

7.3 Do you have documented performance and validation procedures for your HW/SW products or services?

Warning

[Yes, No, Alternate, or N/A]

7.3.1. What is your process to ensure conformance to those procedures?

7.3.1.1. How do you manage HW/SW products or service that are not in compliance with those procedures?

7.3.1.2. How are subcontractors held accountable to performance specifications?

7.3.2. What, if any, automated controls are in place for your validation processes?

7.3.2.1. How do you audit your validation processes?

7.4 Do you have processes in place to independently detect anomalous behavior and defects in HW/SW products or services?

Warning

[Yes, No, Alternate, or N/A]

7.4.1. What means do you provide to allow customers to report anomalies?

7.4.1.1. How do you monitor and track anomalous product or service behavior?

7.5 Do you monitor third-party HW/SW products or services for defects?

Warning

[Yes, No, Alternate, or N/A]

7.5.1. What are your processes for managing third-party products and component defects throughout their lifecycle?

7.6 Does the functional integrity of your product or services rely on cloud services (commercial or hybrid)?

Warning

[Yes, No, Alternate, or N/A]

7.6.1. What policies and procedures are in place to protect the integrity of the data provided through cloud services?

7.6.1.1. How do you manage the shared responsibility for cloud service integrity requirements with your suppliers?

7.7 Do you have required training on quality and product integrity processes for employees, suppliers, and subcontractors?

Warning

[Yes, No, Alternate, or N/A]

7.7.1. What mechanisms are in place for direct employees and contracted workers to ensure applicable training has been completed?

7.7.1.1. Do you pass down training requirements to your sub-suppliers, as applicable?

7.8 Do you have processes to evaluate prospective third-party suppliers’ product integrity during initial selection?

Warning

[Yes, No, Alternate, or N/A]

7.8.1. What processes or procedures, if any, are in place to ensure that prospective suppliers have met your product integrity requirements?

7.8.1.1. How do your policies or procedures ensure appropriate management/leadership input on supplier selection decisions?

7.9 Do you have regularly scheduled audits to ensure compliance with HW/SW products or services integrity requirements?

Warning

[Yes, No, Alternate, or N/A]

7.9.1. What provisions for auditing are included within supplier contracts?

7.9.2. How do you pass down HW/SW products or services integrity requirements to third- party suppliers?

7.10 Do you have a process for improving integrity of HW/SW products or services?

Warning

[Yes, No, Alternate, or N/A]

7.10.1. What programs are in place to ensure continuous performance monitoring and improvement of key suppliers?

7.11 Do you have processes in place for addressing reuse and/or recycle of HW products?

Warning

[Yes, No, Alternate, or N/A]

7.11.1. What is your process?

8. SUPPLY CHAIN RESILIENCE

General

8.1 Does your organization have a formal process for ensuring supply chain resilience as part of your product offering SCRM practices?

Warning

[Yes, No, Alternate, or N/A]

8.1.1. What standards or industry frameworks do you use to help inform those practices?

8.2 Do you consider non-technical supply chain resilience threats such as weather, geo-political instability, epidemic outbreak, volcanic, earthquakes, etc.?

Supply Chain Disruption Risk Management (Business Continuity)

8.3. Do you maintain a formal business continuity plan necessary to maintain operations through disruptions and significant loss of staff?

Warning

[Yes, No, Alternate, or N/A]

8.3.1. If illness causes high absenteeism, are personnel cross-trained and able to perform multiple duties?

8.4. Do you maintain a formally trained and dedicated crisis management team, including on-call staff, assigned to address catastrophic or systemic risks to your supply chain or manufacturing processes?

Warning

[Yes, No, Alternate, or N/A]

8.4.1. Do you require and audit key suppliers for their ability to be prepared for unexpected supply chain disruptions?

8.5. Can personnel work remotely?

Warning

[Yes, No, Alternate, or N/A]

8.5.1. Do your service deliverables outline which services can be done remotely and which cannot?

8.5.1.1. Is that documented in Service-level agreement (SLA) or Terms and Conditions?

8.5.1.2. What infrastructure support is needed to support a shift to an at-home workforce?

Diversity of Supply Base

8.6. Does your company consider supplier diversity to avoid single sources and to reduce the occurrence of suppliers being susceptible to the same threats to resilience?

Warning

[Yes, No, Alternate, or N/A]

8.7. Does your company consider alternate offering delivery channels to mitigate extended supplier outages to include cloud, network, telecommunication, transportation, and packaging?

Warning

[Yes, No, Alternate, or N/A]

SIGNATURES

Note

Please include the names and titles of all persons completing this template.

Name:

Title:

Signature:

Name:

Title:

Signature:

Name:

Title:

Signature: