Selection criteria for higher priority assets include evaluation of bills of material for key asset elements, such as hardware and software
Context and Guidance: The creation, manufacturing, and assembly of assets supplied by third-parties often comprise many sub-parts and sub-components sourced from other vendors and suppliers. Organisations that acquire these assets from third-parties may unknowingly inherit cyber risks that have not been identified or mitigated. A bill of materials establishes and itemizes the source of sub-parts and sub-components for acquired assets, including their origin and any additional information that can help the organisation establish a determination of inherited risk. Examples of these sub-parts and sub-components could be incorporating software routines from an open source libraries as a component of a software build or the sourcing of parts in a security camera from a known hostile nation-state.
Related Practices • Input From: Implementing ASSET-1c provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THIRD-PARTIES-2b, THIRD-PARTIES-2i, THIRD-PARTIES-2j, THIRD-PARTIES-2k, THIRD-PARTIES-2l, THIRD-PARTIES-2m.