GSA OASIS+ Section |
Cybersecurity Supply Chain Risk Management (C-SCRM) Requirement |
Supply Chain Provenance |
Identity - including that of each parent and/or subsidiary corporate entities. |
1.1 |
Are suppliers of critical ICT components identified? |
1.2 |
Is the company ownership of suppliers of critical ICT components verified? |
1.3 |
Are suppliers of critical ICT components under U.S. ownership? |
1.4 |
If distributors will be used to provide products/services to the Government, is a threat analysis performed for each distributor? If "yes", provide the process. |
1.5 |
Are any subcontractors and/or suppliers located outside the United States or its territories? If "yes", list company name(s) and foreign country location(s). |
1.6 |
Are Basic Security Requirements (not Derived Security Requirements) implemented for the fourteen families in Chapter Three of NIST SP 800-171 R2, Protecting Controlled Unclassified Information in Nonfederal Systems? If yes, demonstrate how in Section 1.7. If "no", mark N/A in Section 1.7 and proceed to Section 2.1. |
1.7 |
Provide evidence of control alignment with the Basic Security Requirements listed in NIST SP 800-171 R2. |
Supply Chain Management & Supplier Governance |
General |
2.1 |
Are policies/processes in place to ensure timely notification of updated risk management information previously provided to the Contracting Officer and Contracting Officer's Representative? If "yes" cite the section where the policy is documented. |
Information Communications Technology (ICT) Supply Chain Management |
2.2 |
Is there a documented Quality Management System (QMS) based on an industry standard or framework for the prime contractor's Information and Communications Technology (ICT) supply chain operation? If "yes" provide QMS documentation. |
Supplier Governance |
2.3 |
Do Supply Chain Risk Management (SCRM) requirements exist in contracts with critical ICT suppliers? If "yes", provide the specific contract language which stipulates the SCRM/C-SCRM requirements. |
2.4 |
Is there a process to verify that suppliers are meeting SCRM contractual terms and conditions, including, where applicable, requirements to be passed down to sub-suppliers? |
Information Security |
Identify |
3.1 |
Is there a process used to verify that information is categorized according to legal, regulatory, or internal sensitivity requirements? If a process is established by policy, provide the policy. |
3.2 |
Are the policies and procedures referenced in 3.1 reviewed and updated annually? When was the most recent review? |
Detect |
3.3 |
Are incident detection and reporting practices defined and documented which outline the actions that should be taken in the case of an information security or cybersecurity event? If "yes", provide the documented practices. |
3.4 |
Are cybersecurity events centrally logged, tracked, and continuously monitored? If "yes", provide documentation regarding events are monitored. |
3.5 |
Is endpoint protection software deployed throughout the prime contractor's environment? If "no", describe the mitigation efforts used instead. |
3.6 |
Is there a documented incident response process and a dedicated incident response team (CSIRT - Computer Security Incident Response Team)? If "no", describe the mitigation efforts used instead. |
Physical Security |
General |
4.1 |
Is the entity (organization, operational unit, facility, etc.) currently covered by an unrestricted/unlimited National Industrial Security Program (NISP) Facility Clearance (FCL) or a related U.S. government program such as C- TPAT that certifies the entity as meeting appropriate physical security standards? If "yes", documentation the certification and date of last certification. |
4.2 |
Are security policies and procedures documented which address the control of physical access to cyber assets (network devices, data facilities, patch panels, industrial control systems, programmable logic, etc.)? If "yes", provide documented security policies/procedures. |
4.3 |
Are physical security industry standards/controls adhered to? (e.g., NIST publication, ISO, UL, etc.) If "yes", list the industry standards/controls. |
4.4 |
Are the policies and procedures listed in 4.3 reviewed and updated at least annually? When was the most recent review? |
4.5 |
Does a documented Security Incident Response process exist which covers physical security incidents at the prime contractor's owned or operated facilities (e.g., potential intruder access, missing equipment, etc.)? If "no", describe mitigation efforts. |
Physical Security In-Transit |
4.6 |
Are requirements in place to ensure the use of Original Equipment Manufacturer (OEM) or Authorized Distributors for all critical ICT components? |
4.7 |
Are counterfeit prevention requirements passed on to second and third party suppliers? |
Personnel Security |
General |
5.1 |
Is a personnel security program implemented at the prime contractor's owned or operated facilities? If "yes", list address(es) and, if implemented by a third party, the company(ies) used. If the prime contractor does not own or operate a facility, mark N/A, and skip to question 5.3. |
5.2 |
Are physical security practices documented or formally governed? If "yes", provide the documentation, or cite the section where the documentation can be found. |
Onboarding |
5.3 |
Are policies documented for conducting background checks of prime contractor employees as permitted by each country in which you operate? If "yes", provide the documented policy or cite where it can be found. |
Supply Chain Integrity |
General |
6.1 |
Are documented processes in place for managing third-party products and component defects throughout their lifecycle? If "yes", provide the documented process or cite where it can be found. |
6.2 |
What provisions for auditing are included within supplier contracts? |
6.3 |
Are hardware/software products or services integrity and End of Life requirements passed down to second and third party suppliers? If "yes", provide a documented process or policy. |
6.4 |
Are processes in place for addressing reuse and/or recycle of hardware products? If "yes", provide the process document. |
Supply Chain Resilience |
General |
7.1 |
Is a formal process documented for ensuring supply chain resilience as part of your product offering SCRM practices? If "yes", provide the process document. |
Supply Chain Disruption Risk Management (Business Continuity) |
7.2 |
Can prime contractor personnel work remotely? If "yes", provide policies, practices, and software allowing remote work. |
7.3 |
Is a data backup policy in place that aligns with NIST SP 800-53 CP-9? If "yes", provide the policy. Address if the data backup location is offsite and, additionally, if the backup location is outside the immediate climatic or geographical area (e.g., not in the same floodplain). |
7.4 |
Has your organization conducted vulnerability assessments, risk assessment, or other calculations to identify what impact physical risks associated with climate related risks (e.g., increases in precipitation-driven flooding, extreme heat events, and inundation due to sea level rise and storm surge) might have on your assets, products, and/or services? |
7.5 |
If the answer to 7.4 is yes, describe the assessment process. If assessment results are reported (CDP, GRI, Sustainability or Corporate Responsibility reports), provide the reporting platform and/or report. |
7.6 |
Does your organization have a disaster response plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)? |
7.7 |
Does your organization's disaster response plan include how to manage potential increases in frequency, severity, or duration of weather events? |
7.8 |
Does the disaster response plan describe which assets, products, services would most significantly disrupt operations if they experienced short term acute damage (immediate failure, either temporary or catastrophic). |
7.9 |
Does the disaster response plan describe which assets, products, services, would most significantly disrupt operations if they experienced gradual long-term cumulative damage (slower degradation; greater wear and tear). |