P.3 Manage component and container choices

Software supply chain risk can be reduced by careful choice and handling of third-party components and containers.

Controls

P.3.1 Component and container choice

Make informed third-party component and container choices.

P.3.2 Trusted repositories

Obtain candidate packages and containers from trusted ecosystems or rebuild.

P.3.3 Require signed commits

Utilize legitimate components and software that has not been tampered with.

P.3.4 Vetted third-party component and container repositories

Engineers can choose from organization-approved components