Establish and Manage an Inventory of Third>Party Software Components
Description
Establish and manage an updated inventory of third-party components used in development, often referred to as a “bill of materials,” as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported.
Implementation Checklist
Tool Recommendations
Developer-first application security with SCA, container scanning, IaC security, and SAST integrated into CI/CD
Snyk · Per-developer subscription
Application security testing suite with SAST (Coverity), SCA (Black Duck), and DAST for comprehensive AppSec
Synopsys · Per-developer subscription
Cloud-native application security platform with SAST, SCA, DAST, API security, and supply chain security testing
Checkmarx · Per-developer subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Supply Chain Attack via Compromised Third-Party Library
IntegrityA widely used third-party library included in the application is compromised by an attacker who injects malicious code into an update, and the organization is unaware because it has no inventory of third-party components.
Known Vulnerability in Untracked Dependency Exploited
ConfidentialityA critical CVE is published for a commonly used open-source component, but the organization cannot determine which applications are affected because no software bill of materials exists.
End-of-Life Component Remains in Production Application
IntegrityA third-party library used in a production application reaches end of life and stops receiving security patches, but this goes unnoticed because no inventory tracks component support status.
Vulnerabilities (When Safeguard Absent)
No Software Bill of Materials (SBOM)
Without an inventory of third-party components, the organization cannot identify which applications use vulnerable or compromised libraries when new threats are disclosed.
Untracked Third-Party Component Risks
Absence of a maintained component inventory means risks associated with each dependency such as known vulnerabilities, licensing issues, and support status are not evaluated or monitored.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |