Selection criteria include consideration of safeguards against counterfeit or compromised software, hardware, and services
Context and Guidance: Third parties should be selected according to an organised and thorough process and according to explicit specifications and selection criteria. The selection process and criteria should be designed to ensure that the selected entity can fully meet the organisation’s specifications as established. These criteria should include safeguards against counterfeit or compromised software, hardware, and services. For example: • Will the supplier disclose the existence of all known methods for bypassing computer authentication in the procured product, often referred to as backdoors, and provide written documentation that all such backdoors created by the supplier have been permanently deleted from the system? • Will the supplier provide summary documentation of the procured product’s security features and security-focused instructions on product maintenance, support, and reconfiguration of default settings? For more examples of vendor procurement criteria that can be derived from procurement language, see the DOE Cybersecurity Procurement Language for Energy Delivery Systems.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THIRD-PARTIES-2b, THIRD-PARTIES-2i, THIRD-PARTIES-2j, THIRD-PARTIES-2k, THIRD-PARTIES-2l, THIRD-PARTIES-2m.