Control Framework

SUP: Supply Chain

The Supply Chain domain manages risks from external dependencies including tool servers, APIs, and prompts. Four controls address inventory, assessment, and monitoring.

SUP-01 Dependency Inventory

Requirement: Organizations shall maintain an inventory of external dependencies including tool servers, APIs, and libraries.

Rationale: Enables risk assessment and impact analysis.

Evidence: Dependency inventory with version information.

Profile: Standard

SUP-02 Dependency Assessment

Requirement: External dependencies shall be assessed for security posture before integration.

Rationale: Prevents introduction of vulnerabilities through third parties.

Evidence: Assessment reports for dependencies.

Profile: Elevated

SUP-03 Prompt Supply Chain

Requirement: System prompts and templates from external sources shall be reviewed and approved before deployment.

Rationale: Prevents injection of malicious instructions through prompt supply chain.

Evidence: Prompt review and approval records.

Profile: Elevated

SUP-04 Integration Monitoring

Requirement: Communications with external dependencies shall be monitored for anomalies.

Rationale: Detects compromise of dependencies or communication channels.

Evidence: Monitoring configuration and alert logs.

Profile: Critical

Previous
RES: Resilience
Next
Understanding confluence