SecFrame Explorer
3/3
// Level 3 · Controls

Supply Chain Mgmt, Transparency, and Accountability

STA domain controls.

STA-01Medium

SSRM Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the application of the Shared Security Responsibility Model (SSRM) within the organization.

STA-02Medium

SSRM Supply Chain

Apply, document, implement and manage the SSRM throughout the supply chain for the cloud service offering.

STA-03Medium

SSRM Guidance

Provide SSRM Guidance to the CSC detailing information about the SSRM applicability throughout the supply chain.

STA-04Medium

SSRM Control Ownership

Delineate the shared ownership and applicability of all CSA CCM controls according to the SSRM for the cloud service offering.

STA-05Medium

SSRM Documentation Review

Review and validate SSRM documentation for all cloud services offerings the organization uses.

STA-06Medium

SSRM Control Implementation

Implement, operate, and audit or assess the portions of the SSRM which the organization is responsible for.

STA-07Medium

Supply Chain Inventory

Develop and maintain an inventory of all supply chain relationships.

STA-08Medium

Supply Chain Risk Management

CSPs periodically review risk factors associated with all organizations within their supply chain.

STA-09Medium

Primary Service and Contractual Agreement

Service agreements between CSPs and CSCs (tenants) must incorporate at least the following mutually-agreed upon provisions and/or terms.

STA-10Medium

Supply Chain Agreement Review

Review supply chain agreements between CSPs and CSCs at least annually.

STA-11Medium

Internal Compliance Testing

Define and implement a process for conducting internal assessments to confirm conformance and effectiveness of standards, policies, procedures, and service level agreement activities at least annually.

STA-12Medium

Supply Chain Service Agreement Compliance

Implement policies requiring all CSPs throughout the supply chain to comply with information security, confidentiality, access control, privacy, audit, personnel policy and service level requirements and standards.

STA-13Medium

Supply Chain Governance Review

Periodically review the organization's supply chain partners' IT governance policies and procedures.

STA-14Medium

Supply Chain Data Security Assessment

Define and implement a process for conducting security assessments periodically for all organizations within the supply chain.