AnsweredAssumed Answered

NERC CIP-013 Cyber Security - Supply Chain Risk Management

Question asked by Kevin Marshman on Aug 4, 2020
Latest reply on Nov 4, 2020 by Kevin Marshman

Due to new nerc-cip compliance requirements, I need to routinely inquire/check/review if any of our suppliers (Manufacturers, Vendors, Integrators specific to CIP assets) have experienced any incidents such as data breaches or compromises.  I know in the RSA Community, i can search for security advisories or product vulnerabilities etc. but don't know if RSA does or would publish disclosed compromises in any capacity for evidentiary collection.  If this is already happening, could someone please state this for me (and their certainly are other out there in a similar position.)  Similar to the security advisories, it would ideally contain reference to others in the RSA Supply chain such as appliance manufacturer (Dell?) OS (Suse?) or supporting software (PostgreSQL?).

I am not looking for advanced warning, just a collection point(s) for such reference material to aid in our compliance requirements.


Thanks in advance for any clarification or commentary.