What Changed in NIST CSF 2.0 for Supplier Risk
When NIST released CSF 2.0 in February 2024, the headline change was structural: a new sixth function, Govern (GV), was introduced to provide organizational context for all other functions. For security teams managing vendor and supplier relationships, the most consequential part of that addition is the GV.SC subcategory — Cybersecurity Supply Chain Risk Management — which consolidated and elevated supplier risk guidance that had been scattered across the Identify function in CSF 1.1.
GV.SC contains ten sub-categories (GV.SC-01 through GV.SC-10) that address the full lifecycle of supplier risk management: establishing program governance, identifying and prioritizing supplier risk, assessing supplier security posture, managing contracts and agreements, and monitoring suppliers on an ongoing basis. This is considerably more explicit guidance than what CSF 1.1 provided under ID.SC, and security teams using CSF 2.0 as their reference framework have correspondingly clearer expectations to meet when auditors or customers ask how their supply chain risk is managed.
The checklist below maps GV.SC sub-categories to the questionnaire areas and evidence items your program needs to address. It is organized by the assessment phase where each control is most relevant.
Phase 1: Program Governance Controls
These controls address whether your organization has the governance structures in place to run a systematic supplier risk program. They are primarily about your internal program design, but they have direct questionnaire implications because they define what you are required to assess.
GV.SC-01: A cybersecurity supply chain risk management program is established
This sub-category requires documented policies and procedures for your SCRM program — who is responsible, what the scope covers, how decisions are made. Internally, it requires a written SCRM policy that defines your assessment approach, tiering methodology, and remediation requirements. The policy must be reviewed on a defined cadence; annual review is the practical standard.
Checklist: Is there a documented SCRM policy reviewed within the last 12 months? Does it define risk tiers, assessment triggers, and remediation SLAs? Is the policy owner identified by role, not just name?
GV.SC-02: Cybersecurity roles and responsibilities for suppliers are established
Accountability for supplier risk often lives ambiguously between security, procurement, and legal. GV.SC-02 requires that roles be explicitly defined. In practice, this means documenting who owns vendor risk assessment (typically security), who owns contract terms (legal or procurement), who owns ongoing relationship management (business owner), and how escalations are handled when a vendor's risk rating changes materially.
Checklist: Is there a documented RACI or equivalent for supplier risk activities? Are responsibilities reflected in job descriptions or team charters? Is there a defined escalation path for critical vendor risk findings?
GV.SC-03: Suppliers and third-party partners are included in improvement and response planning
This is frequently the most overlooked governance control. Your incident response plan should address scenarios involving supplier failure or compromise — including how you notify affected parties when the incident originates at a vendor rather than within your own systems. Business continuity planning should include supplier substitution scenarios for critical dependencies.
Checklist: Does your IRP include supplier-originated incident scenarios? Does your BCP document critical vendor dependencies and substitution options? Have supplier-involved scenarios been exercised in a tabletop within the last 24 months?
Phase 2: Supplier Identification and Assessment
GV.SC-04: Suppliers are known and prioritized by criticality
You cannot assess suppliers you do not know you have. GV.SC-04 requires a maintained supplier inventory with criticality ratings. Criticality is typically a function of data access, service dependency, and substitutability. An enterprise with active procurement activity that has never formally inventoried its vendor relationships typically discovers three to five times more third-party relationships than expected when they do this exercise — including sub-processors used by primary vendors that represent indirect exposure.
Checklist: Is there a maintained supplier inventory? Is each supplier assigned a criticality tier? Is the inventory reviewed and updated when new contracts are executed? Does it capture sub-processor relationships for critical vendors?
GV.SC-05: Requirements to address cybersecurity risks in supply chains are established
This sub-category requires that your security requirements for suppliers are documented and contractually enforceable — not just assessed via questionnaire. The practical implication is that vendor contracts include minimum security requirements clauses: MFA enforcement, encryption standards, incident notification timelines, right-to-audit provisions for critical vendors. Requirements should be differentiated by tier; applying enterprise security clauses to a low-risk stationery supplier creates friction without risk reduction.
Checklist: Do standard vendor contracts include security requirements? Are requirements differentiated by criticality tier? Do critical vendor contracts include right-to-audit language and incident notification timelines?
GV.SC-06: Planning and due diligence are performed before entering into formal supplier relationships
GV.SC-06 requires pre-contract security assessment — due diligence before the relationship begins, not after contracts are signed. This is an area where many programs are weakest: security review frequently happens after legal approval, after commercial terms are agreed, after the business has already committed to the vendor. At that point, the organizational dynamics make it very difficult to act on assessment findings. The business has already made the buy decision; security findings become paperwork rather than decision inputs.
Checklist: Is security review a mandatory step in the procurement approval workflow before contract execution? Is there a documented minimum assessment standard for each tier? Is there a defined process for handling security findings that emerge during pre-contract review?
GV.SC-07: Risks posed by a supplier are understood before entering into a formal relationship
This pairs with GV.SC-06 and specifically requires that assessment findings are understood and documented — not just completed. A questionnaire sent and returned without analyst review does not satisfy this control. The evidence artifact for GV.SC-07 is typically a risk acceptance memo or decision record where the business owner acknowledges specific gaps identified in the assessment and accepts or requires remediation before contract execution.
Checklist: Is there a formal risk acceptance process for vendors with identified control gaps? Are risk acceptance decisions documented with business owner sign-off? Are open findings tracked post-contract for follow-up?
Phase 3: Ongoing Monitoring and Offboarding
GV.SC-08: Relevant suppliers are included in incident response planning
Beyond the governance-level requirement in GV.SC-03, this sub-category addresses operational readiness: supplier security team contact information maintained and current, notification procedures defined for supplier-originated incidents, and documented expectations for supplier cooperation during investigations where they are implicated.
Checklist: Is supplier security contact information maintained and verified at least annually? Are supplier incident notification timelines defined in contracts? Is there a process for updating contact information when supplier personnel change?
GV.SC-09: Supply chain risk management is integrated into broader enterprise risk management
This sub-category requires that supplier risk findings flow into enterprise risk registers and senior-level reporting — not stay siloed in the security team's tooling. For growing enterprises, this typically means vendor risk metrics (number of high-risk vendors, open remediation items, assessment coverage rates) appear in quarterly risk committee reporting alongside other enterprise risk categories.
Checklist: Are vendor risk metrics included in enterprise risk reporting? Are critical vendor risk issues escalated to a risk committee or equivalent? Is there a defined threshold for what constitutes a reportable supplier risk finding?
GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities after the conclusion of a vendor relationship
Offboarding is a control requirement, not just an administrative task. GV.SC-10 requires that data handling at vendor relationship termination is addressed: data return or destruction procedures, access revocation confirmation with a defined timeline, handling of residual data in shared environments, and documentation that end-of-contract security activities were completed. This is a control that is easy to skip when a relationship ends under time pressure — and one that auditors specifically look for.
Checklist: Is there a vendor offboarding checklist that includes data disposition and access revocation steps? Is completion of offboarding documented? Is there a defined SLA for access revocation after contract end?
Mapping GV.SC to Questionnaire Templates
The ten GV.SC sub-categories above represent governance and program requirements — mostly for your own internal controls. They define what a systematic SCRM program looks like. The questionnaire items you send to vendors to assess their security posture map primarily to the Protect, Detect, Respond, and Recover functions, with GV.SC providing the organizational framework within which those assessments occur.
We are not saying that GV.SC compliance alone produces a complete vendor risk program. What GV.SC gives you is the governance evidence an auditor or customer will look for when evaluating whether your supply chain risk management is systematic rather than ad hoc. The questionnaire coverage — what you actually ask vendors — is a separate design question, informed by your taxonomy and the specific risk profile of each tier.
For how GV.SC maps to the parallel ISO 27001:2022 supplier controls in Clauses A.5.19 through A.5.23, see our ISO 27001 vendor assessment guide.