← Back to catalog
PM-30

Supply Chain Risk Management Strategy

Program Management (PM)
Baselines
Low · Not includedModerate · Not includedHigh · Not included
Description

Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; Implement the supply chain risk management strategy consistently across the organization; and Review and update the supply chain risk management strategy on [assignment] or as required, to address organizational changes.

Discussion

An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see [SR-2](#sr-2) ) is implemented at the system level.

Implementation guidance

No content available.

CSF 2.0 crosswalk
DE.AE-04The estimated impact and scope of adverse events are understoodDetect
GV.OC-02Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and consideredGovern
GV.OC-05Outcomes, capabilities, and services that the organization depends on are understood and communicatedGovern
GV.OV-01Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and directionGovern
GV.OV-02The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risksGovern
GV.RM-03Cybersecurity risk management activities and outcomes are included in enterprise risk management processesGovern
GV.RM-04Strategic direction that describes appropriate risk response options is established and communicatedGovern
GV.RM-05Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third partiesGovern
GV.RM-06A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicatedGovern
GV.RM-07Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussionsGovern
GV.SC-01A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholdersGovern
GV.SC-03Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processesGovern
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycleGovern
ID.RA-06Risk responses are chosen, prioritized, planned, tracked, and communicatedIdentify