Concept & Requirements
Avenues of supply chain attack.
What are entry nodes?
Mechanisms that can be used to reduce design risk.
What are mitigation mechanisms?
What aspects of critical components' functionality and security requirements are (blank) (blank)?
What is actively tested?
Entity that can be responsible for supplying critical materials/components that will be needed on a reoccurring basis.
What are vendors/third-party suppliers?
How does the organization (blank) and (blank) the system's critical legacy subcomponents?
What is retire and replace?
A strategy for avoiding interruptions of critical deliveries.
What is arranging multiple alternate sources/using alternate delivery methods?
These items would potentially need to be reconsidered due to identified supply chain risks.
What are engineering controls?
A stage at which services and components can be added, calling for further supply chain risk evaluation.
What is integration?
An opportunity for taking only desired updates.
What is micro-pacthing?
Lack of this can impact the system's design and necessary supply chain controls.
What is replacement availability?
Guidelines, beyond baseline, that should be defined for security, performance, and verification related to desired services.
What are additional contract requirements?
Three possible mitigation strategies for handling insecure, insufficient, or delayed components.
What is elimination, substitution, and/or accommodation?
These are risk-based and need to be identified in order to ensure functionality and security of critical sytems.
What are test scenarios?
Services vendors can use that will have long-term persistent connections to the systems.
What are cloud services?
A type of risk to consider when implementing replacement systems.
What is integration risk?
Existing opportunities related to delivery of critical components that are needed on a reoccurring basis.
What are interruptions?
This must be done regarding all elements going into the product in the development process.
What is documentation?
These need to be met during testing stages, and if not, further development needs to take place.
What are performance benchmarks?
A loss connected to critical functions of systems, important to consider for future planning.
What is contract expiration?
These are current ideals that can be applied to the replacement system.
What are existing assumptions?
A method to validate and verify a product and the security of its components.
What is third-party testing?
During the development process, the organization must (blank), (blank), and (blank) critical components within the system.
What is track, receive, and store?
These are put in place to mitigate risks during deployment.
What are contingency plans?
There needs to be established processes to ensure that (blank) (blank) from updates/patches are necessary and desired.
What are applied packages?
A set of partners that should be informed about the retirement and replacement decisions.
What are stakeholders?