Supply Chain Risk Management (SR)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] supply chain risk management policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and
• c. Review and update the current supply chain risk management:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services];
• b. Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes; and
• c. Protect the supply chain risk management plan from unauthorized disclosure and modification.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel];
• b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and
• c. Document the selected and implemented supply chain processes and controls in [Selection: one or more of: security and privacy plans; supply chain risk management plan].

External Link for Additional Information: myctrl.tools

Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [Assignment: organization-defined controls].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: [Assignment: organization-defined supply chain elements, processes, and personnel].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: [Assignment: organization-defined systems and critical system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ the following controls to validate that the system or system component received is genuine and has not been altered: [Assignment: organization-defined controls].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis method] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined strategies, tools, and methods].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ the following controls to ensure an adequate supply of [Assignment: organization-defined critical system components]: [Assignment: organization-defined controls].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ [Selection: one or more of: organizational analysis; independent third-party analysis; organizational testing; independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organization-defined supply chain elements, processes, and actors].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined OPSEC controls].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection: one or more of: notification of supply chain compromises].

External Link for Additional Information: myctrl.tools

Implement a tamper protection program for the system, system component, or system service.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Inspect the following systems or system components [Selection: one or more of: at random; at; upon] to detect tampering: [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and
• b. Report counterfeit system components to [Selection: one or more of: source of counterfeit component].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware).

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Scan for counterfeit system components [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools