G.3.5 Notification agreement

Control Details

Objective

Timely notification of security threat and product end-of-life

Definition

Require suppliers to establish agreements and procedures for notification and monitoring capabilities, including notification of being the target of a supply chain threat. Timely notification of compromises and potential compromises in the supply chain is essential for an organization to initiate an incident response. Establish a minimum amount of time a vendor must declare that a product will be declared end-of-life and will no longer be supported and understand what end-of-life options exist (e.g. replace, upgrade, migrate to a new system, etc.).

Assessment Questions

1. What notification agreements and monitoring capabilities are established with your suppliers related to supply chain threats or incidents?
2. How much notification does a vendor provide when a product goes end-of-life?
3. What end-of-life options exist?

Reference sources

1. 800-161 SR-8