Supplier Inventory (SP 800-161)
Supply Chain Risk Management
NIST Control Text
a. Develop, document, and maintain an inventory of suppliers that:
Accurately and minimally reflects the organization's tier one suppliers that may present a cybersecurity risk in the supply chain;
Is at the level of granularity deemed necessary for assessing criticality and supply chain risk, tracking, and reporting;
Documents the following information for each tier one supplier: (i) unique identifier for procurement instrument; (ii) description of the supplied products and/or services; (iii) program, project, and/or system that uses the supplier's products and/or services; and (iv) assigned criticality level that aligns to the criticality of the program, project, and/or system.
b. Review and update the supplier inventory [Assignment: enterprise-defined frequency].
SL5 Supplemental Guidance
Apply SP 800-161 Rev 1 guidance [3] for maintaining a comprehensive, criticality-based inventory of all suppliers documenting supplier identities, products provided, and assigned risk levels.