Supply Chain Clause Harmonizer

Overview

Draft and validate C-SCRM (Cybersecurity Supply Chain Risk Management) Security Requirement Annexes for vendor contracts, aligned to NIST CSF 2.0 Govern — Supply Chain (GV.SC) and NIST SP 800-161. The skill selects clauses by vendor Criticality Tier (Critical, High, Medium, Low) and validates annex drafts against mandatory supply chain control themes so nothing is omitted before flow-down to vendors.

Example Conversation

You: We’re onboarding a High-tier SaaS vendor that will process customer data. I need a C-SCRM security requirement annex for the contract. Can you draft it and make sure it’s aligned with NIST 800-161?

Agent: I’ll use the Supply Chain Clause Harmonizer. For a High tier we need right to audit (including on-site/unannounced where appropriate), vulnerability disclosure timelines, breach notification, subprocessor flow-down, secure disposal, component authenticity, pen test/assessments, and change notification. I’ll run select_clauses_by_tier for High, then draft the annex from the template and run nist_supply_chain_bridge to validate.

Agent: (Runs select_clauses_by_tier with tier High and gets the clause list.) Creating annex-saas-vendor-2025.md from the template and filling each section for High tier…

Agent: Draft is ready. Running nist_supply_chain_bridge on the annex…

Agent: Result of nist_supply_chain_bridge:

— NIST SUPPLY CHAIN BRIDGE (SP 800-161) — Result: PASS [OK] C-SCRM policy / scope or risk management context [OK] Security controls and processes [OK] Right to audit / inspection [OK] Breach / incident notification [OK] Vulnerability disclosure or patch management [OK] Supplier assessment / review [OK] Acquisition / contract context [OK] Disposal / data return / termination

All NIST SP 800-161 mandatory supply chain control themes are present or clearly addressed.

The annex is ready for legal review and flow-down into the vendor contract.

Output Excerpt

After the agent drafts the annex and the bridge passes, a typical document includes scope, controls, audit rights, notification timelines, and flow-down. Excerpt:

# C-SCRM Security Requirement Annex

**Vendor / Contract:** Acme SaaS Ltd — Master Service Agreement  
**Criticality Tier:** High  
**Effective date:** 2025-03-01

This annex sets forth cybersecurity supply chain risk management (C-SCRM) security requirements to be flowed down to the Vendor pursuant to NIST CSF 2.0 (GV.SC) and NIST SP 800-161. The Vendor shall comply with these requirements for the duration of the agreement.

## 1. Scope and Policy Context

These requirements align with [Organization]’s C-SCRM policy and supply chain risk management program. They implement flow-down expectations consistent with NIST SP 800-161 and the Govern — Supply Chain (GV.SC) category of the NIST Cybersecurity Framework 2.0.

## 2. Security Controls and Processes

The Vendor shall maintain technical and organizational measures including: access control and MFA, encryption of data at rest and in transit, incident response and breach procedures, change management, and vulnerability management. Controls shall be documented and made available for assessment upon request.

## 3. Right to Audit and Inspection

[Organization] reserves the right to conduct audits and inspections of the Vendor’s systems, processes, and records relevant to the services, including on-site and, where reasonable, unannounced visits with at least 14 days’ notice for scheduled audits. The Vendor shall provide access to personnel, facilities, and evidence (e.g. SOC 2 reports, policies) as reasonably required.

## 4. Breach and Incident Notification

The Vendor shall notify [Organization] of any security incident or breach affecting [Organization]’s data or systems within **72 hours** of discovery. Notification shall include nature of the incident, data affected, and remedial steps. A designated point of contact for security incidents shall be maintained.

The validation script would report PASS when all eight control themes (scope, controls, right to audit, breach notification, vulnerability disclosure, supplier assessment, contract/flow-down, disposal) are present in the annex text.

Extension Tools and Validations

The skill includes two extension tools: one to select clauses by tier, and one to validate the annex against NIST SP 800-161.

select_clauses_by_tier returns the recommended clause set for a given Criticality Tier:

• Input — One of: Critical, High, Medium, Low.
• Output — A list of clause titles and descriptions to include in the annex (e.g. Right to Audit, Vulnerability Disclosure Timelines, Breach and Incident Notification, Subprocessor Flow-Down, Secure Disposal, Component Authenticity for Critical/High, Pen Testing and Third-Party Assessments for Critical/High, Change Notification). Tier-specific strength notes (e.g. Critical/High: on-site and unannounced permitted; breach ≤72h) are included so the drafter can set the right level of obligation.

Use this tool at the start of an annex or whenever the user specifies or changes the vendor tier.

nist_supply_chain_bridge validates an annex draft against eight NIST SP 800-161–aligned control themes:

The tool scans the annex file for each theme (via pattern match). It reports PASS only when all eight are present; otherwise it reports FAIL and lists each missing theme with guidance (e.g. “Annex must include right to audit or inspect vendor systems/processes (SR-10)”). Run it after drafting or updating the annex and iterate until the report shows PASS before finalizing for contract flow-down.

Getting Started

Add your vendor and contract context to the project workspace and activate the Supply Chain Clause Harmonizer skill. Determine the vendor’s Criticality Tier, run select_clauses_by_tier, draft the annex from the template (or an existing draft), and run nist_supply_chain_bridge until the annex passes. Then send the annex for legal and procurement review.