In the NIS baseline framework, supply-chain cybersecurity is a governance obligation, not only a procurement control. Organizations are expected to identify high-impact suppliers, assess and prioritize related risks, and integrate security requirements into contracts and lifecycle oversight.
Sources: ACN baseline obligations determination, ACN baseline reading guide
Key takeaways
- Supply-chain controls are formalized through GV.SC baseline measures.
- Critical suppliers should be identified, prioritized, and tracked in a maintained inventory.
- Security requirements should be embedded in tendering and contractual documents.
- Supplier risk must be evaluated, treated, and monitored throughout the procurement lifecycle.
Sources: ACN baseline obligations determination
Supply-chain control model (GV.SC)
1. Governance and policy baseline (GV.SC-01)
Define and approve supply-chain cyber-risk governance principles and requirements for high-impact procurements.
2. Roles and accountability (GV.SC-02)
Assign clear responsibilities across internal stakeholders and define interaction rules with suppliers, partners, and customers where relevant.
3. Supplier inventory and prioritization (GV.SC-04)
Maintain an updated inventory of suppliers linked to potentially high-impact supplies and prioritize them by criticality.
4. Contractual security integration (GV.SC-05)
Integrate required security clauses and control expectations into bids, contracts, agreements, and procurement artifacts.
5. Lifecycle supplier-risk oversight (GV.SC-07)
Evaluate, treat, and continuously monitor supplier-related cyber risks during the full supply lifecycle.
Sources: ACN baseline obligations determination
Minimum evidence set for supply-chain readiness
| Area | Practical objective | Typical evidence |
|---|---|---|
| GV.SC governance | Formal supplier-risk governance model | Governance policy, approval records |
| Supplier inventory | Visibility on critical suppliers | Supplier inventory, criticality classification |
| Contract integration | Security requirements embedded in contracts | Tender clauses, contract annexes, agreement templates |
| Risk assessment | Supplier risk documented and prioritized | Supplier-risk assessments, treatment decisions |
| Ongoing monitoring | Continuous supplier-risk oversight | Monitoring log, reassessment records |
Sources: ACN baseline obligations determination
90-day execution checklist
- Build or refresh inventory of high-impact suppliers and assign owners.
- Define supplier criticality criteria and scoring method.
- Update procurement templates with required cybersecurity clauses.
- Launch prioritized supplier-risk assessments and treatment plans.
- Establish recurring monitoring and reassessment cadence.
FAQ
Is supplier cybersecurity a technical-only responsibility?
No. Baseline requirements place it under governance, procurement, legal, and security coordination. Source: ACN baseline obligations determination
Are contract clauses sufficient by themselves?
No. Clauses must be backed by risk assessment, treatment decisions, and ongoing monitoring. Source: ACN baseline obligations determination
Which suppliers should be assessed first?
Priority should follow documented criticality and risk criteria defined by the organization and aligned with baseline expectations. Sources: ACN baseline obligations determination, ACN baseline reading guide