Manage Third-Party Risk

MIL1 requirements
a. The selection of suppliers and other third parties includes consideration of their cybersecurity qualifications, at least in an ad hoc manner
b. The selection of products and services includes consideration of their cybersecurity capabilities, at least in an ad hoc manner

MIL2 requirements
c. A defined method is followed to identify cybersecurity requirements and implement associated controls that protect against the risks arising from suppliers and other third parties
d. A defined method is followed to evaluate and select suppliers and other third parties
e. More rigorous cybersecurity controls are implemented for higher priority suppliers and other third parties
f. Cybersecurity requirements (for example, vulnerability notification, incident-related SLA requirements) are formalized in agreements with suppliers and other third parties
g. Suppliers and other third parties periodically attest to their ability to meet cybersecurity requirements

MIL3 requirements
h. Cybersecurity requirements for suppliers and other third parties include secure software and secure product development requirements where appropriate
i. Selection criteria for products include consideration of end-of-life and end-of-support timelines
j. Selection criteria include consideration of safeguards against counterfeit or compromised software, hardware, and services
k. Selection criteria for higher priority assets include evaluation of bills of material for key asset elements, such as hardware and software
l. Selection criteria for higher priority assets include evaluation of any associated third-party hosting environments and source data
m. Acceptance testing of procured assets includes consideration of cybersecurity requirements