Notification Agreements | FedRAMP Explorer

SR-8 Notification Agreements

Control

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (one or more): notification of supply chain compromises; [Assignment: organization-defined results of assessments or audits] ].

Requirement:

CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

Discussion

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

FedRAMP Control Explorer

Controls

Access Control

Assessment, Authorization, and Monitoring

Audit and Accountability

Awareness and Training

Configuration Management

Contingency Planning

Identification and Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical and Environmental Protection

Planning

Risk Assessment

Supply Chain Risk Management

System and Communications Protection

System and Information Integrity

System and Services Acquisition

SR-8 Notification Agreements

Control

Discussion

FedRAMP-Defined Assignment / Selection Parameters