Skip to main content

IRO-10.4: Supply Chain Coordination

IRO 7 — High Respond

Mechanisms exist to provide cybersecurity and data protection incident information to the provider of the Technology Assets, Applications and/or Services (TAAS) and other organizations involved in the supply chain for TAAS related to the incident.

Control Question: Does the organization provide cybersecurity and data protection incident information to the provider of the Technology Assets, Applications and/or Services (TAAS) and other organizations involved in the supply chain for TAAS related to the incident?

General (22)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.3-POF1 CC7.4
CIS CSC 8.1 17.2
CIS CSC 8.1 IG1 17.2
CIS CSC 8.1 IG2 17.2
CIS CSC 8.1 IG3 17.2
CSA CCM 4 SEF-02 SEF-03
ISO 27002 2022 5.20
NIST 800-53 R4 IR-6(3)
NIST 800-53 R5 (source) IR-4(10) IR-6(3)
NIST 800-53B R5 (moderate) (source) IR-6(3)
NIST 800-53B R5 (high) (source) IR-6(3)
NIST 800-53 R5 (NOC) (source) IR-4(10)
NIST 800-82 R3 MODERATE OT Overlay IR-6(3)
NIST 800-82 R3 HIGH OT Overlay IR-6(3)
NIST 800-161 R1 IR-1(1) IR-4(10) IR-6(3)
NIST 800-161 R1 Flow Down IR-4(10) IR-6(3)
NIST 800-161 R1 Level 2 IR-4(10)
NIST 800-161 R1 Level 3 IR-6(3)
NIST CSF 2.0 (source) RS.CO RS.CO-02 RS.CO-03
SCF CORE ESP Level 1 Foundational IRO-10.4
SCF CORE ESP Level 2 Critical Infrastructure IRO-10.4
SCF CORE ESP Level 3 Advanced Threats IRO-10.4
US (7)
Framework Mapping Values
US C2M2 2.1 RESPONSE-3.J.MIL3 RESPONSE-3.K.MIL3
US CJIS Security Policy 5.9.3 (source) IR-6(3)
US FedRAMP R5 (source) IR-6(3)
US FedRAMP R5 (moderate) (source) IR-6(3)
US FedRAMP R5 (high) (source) IR-6(3)
US IRS 1075 IR-6(3)
US NERC CIP 2024 (source) CIP-013-2 1.2.2
EMEA (2)
Framework Mapping Values
EMEA EU NIS2 23.2
EMEA Israel CDMO 1.0 17.11
APAC (3)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1569
APAC India SEBI CSCRF RS.CO.S3
APAC New Zealand NZISM 3.6 7.2.22.C.01

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to provide cybersecurity and data protection incident information to the provider of the Technology Assets, Applications and/or Services (TAAS) and other organizations involved in the supply chain for TAAS related to the incident.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to provide cybersecurity and data protection incident information to the provider of the Technology Assets, Applications and/or Services (TAAS) and other organizations involved in the supply chain for TAAS related to the incident.

Level 2 — Planned & Tracked

Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.

  • Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
Level 3 — Well Defined

Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data protection and business function representatives that can perform coordinated incident response.
  • The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data protection response operations.
  • A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
  • Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
  • Administrative processes and technologies exist to coordinate incident response actions with third-party stakeholders and service providers.
Level 4 — Quantitatively Controlled

Incident Response (IR) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to provide cybersecurity and data protection incident information to the provider of the Technology Assets, Applications and/or Services (TAAS) and other organizations involved in the supply chain for TAAS related to the incident.

Assessment Objectives

  1. IRO-10.4_A01 incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain.
  2. IRO-10.4_A02 incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

Evidence Requirements

E-RSK-02 Supply Chain Risk Management (SCRM) Plan

Documented evidence of a Supply Chain Risk Management (SCRM) Plan. This is program-level documentation in the form of a playbook, concept of operations or a similar format provides guidance on organizational practices that support existing policies and standards.

Risk Management

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free