ID | Name | |
CM-10 | Software Usage Restrictions |
ID | Name | Description | D3FEND |
ID | Name | Description |
---|
ID | Description |
Requirement | Rationale/Additional Guidance/Notes |
---|---|
The [organization] shall track security advisories, patches/updates, and ensure compliance with license agreements and usage restrictions for all software within the SBOM.{CM-10} | |
The [organization] shall perform software component analysis (a.k.a.origin analysis) for developed or acquired software.{CM-10,CM-10(1),RA-3(1),RA-5,SA-15(7),SI-3,SI-3(10),SR-4(4)} | |
The [organization] shall maintain a list of suppliers and potential suppliers used, and the products that they supply to include software.{SV-SP-3,SV-SP-4,SV-SP-11}{CM-10,PL-8(2),PM-30,SA-8(9),SA-8(11)} | Ideally you have diversification with suppliers |