GASP: AICF

Search controls

Search by control ID, name or domain

VND-005 ICT Supply Chain Risk Management

Tier 2+

Description

Risks in the ICT supply chain are identified, assessed and managed. This includes software dependencies, hardware components, open source libraries and third-party development. A documented supply chain inventory is maintained. Controls are applied to prevent tampering, counterfeit components or insertion of malicious code through the supply chain.

Rationale

Software supply chain attacks (e.g. SolarWinds, XZ Utils) demonstrate that third-party code components are a primary attack vector. SaaS products that embed third-party software must manage this risk explicitly.

Framework Mappings (7)

CSA CCM v4.1
STA-01Supply Chain Risk Management Policies and Procedurespartial
STA-08Supply Chain Inventoryfull
ISO/IEC 27001:2022
5.21Managing information security in the ICT supply chainfull
ISO/IEC 42001:2023
A.10.3Supplierspartial
NIST SP 800-53 Rev 5
PM-30Supply Chain Risk Management Strategypartial
SR-2Supply Chain Risk Management Planfull
SR-3Supply Chain Controls and Processesfull

Evidence (2)

tool_outputautomated

Software Bill of Materials (SBOM) or dependency inventory listing third-party libraries and components embedded in the product, with current vulnerability status.

Example: SBOM export (CycloneDX or SPDX format) generated from CI/CD pipeline (e.g. Syft, OWASP Dependency-Track) — listing all direct and transitive dependencies with: package name, version, license, and known CVE status at last scan

Test: Request the current SBOM or dependency scan output. Verify: (1) SBOM covers all production application dependencies (direct and transitive), (2) scan was run within the last 30 days, (3) all HIGH and CRITICAL CVEs are either patched or have documented risk acceptance with a remediation timeline, (4) SBOM is regenerated as part of the CI/CD pipeline on each build.

policymanual

ICT supply chain risk management policy or software composition analysis procedure documenting how third-party software components are vetted, monitored and updated.

Example: Software Supply Chain Security Policy (Confluence), approved by CISO — defining: SBOM generation requirements, OSS licence approval process, dependency vulnerability scanning in CI/CD, time-to-patch SLAs by severity (e.g. Critical ≤7 days, High ≤30 days), and prohibited dependency categories

Test: Request the software supply chain policy. Verify: (1) requires SBOM generation for production builds, (2) specifies vulnerability scanning of dependencies as a CI/CD gate, (3) defines time-to-patch SLAs by severity, (4) addresses open source licence approval, (5) approved within 24 months.

Questions (2)

boolean

Does your organisation maintain an inventory of third-party software components (including open source libraries) embedded in your products, and are these inventories scanned for known vulnerabilities?

A Software Bill of Materials (SBOM) should be generated for every production build. Dependency vulnerability scanning should be integrated into the CI/CD pipeline. Critical and High CVEs must have documented remediation timelines.

multi

How are third-party software components and open source dependencies managed in your development process?

SBOM generated automatically as part of the CI/CD pipeline for every production buildDependency vulnerability scanning runs as a CI/CD gate (build fails on Critical/High CVEs without exception)Time-to-patch SLAs defined by severity (e.g. Critical ≤7 days, High ≤30 days)Open source licence review process in place before a new dependency is approvedDependency inventory is maintained manually and reviewed periodicallyNo structured process for tracking or vetting third-party dependencies

Automated SBOM generation and CI/CD-integrated vulnerability scanning are the baseline expectation for SaaS products. Manual-only dependency management is insufficient given the pace of vulnerability disclosures.