正解:B
When addressing the risk of supply chain compromise (such as the introduction of malicious hardware or firmware during procurement), the acquisition process should be reviewed first. Ensuring that the process for purchasing, inspecting, and validating new equipment includes appropriate vendor vetting and secure handling practices is the first step in mitigating supply chain risks.
Reference:
CompTIA Security+ SY0-701 Official Study Guide, Domain 5.1: "Supply chain risk management begins with evaluating and controlling the acquisition process, including procurement and vendor assessment." Exam Objectives 5.1: "Explain the importance of organizational security policies, standards, and frameworks."