← Back to catalog
SR-2

Supply Chain Risk Management Plan

Supply Chain Risk Management (SR)
Baselines
Low · IncludedModerate · IncludedHigh · Included
Description

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [assignment]; Review and update the supply chain risk management plan [assignment] or as required, to address threat, organizational or environmental changes; and Protect the supply chain risk management plan from unauthorized disclosure and modification.

Discussion

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions. Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8)).

Implementation guidance

No content available.

CSF 2.0 crosswalk
GV.RM-01Risk management objectives are established and agreed to by organizational stakeholdersGovern
GV.RM-03Cybersecurity risk management activities and outcomes are included in enterprise risk management processesGovern
GV.RM-04Strategic direction that describes appropriate risk response options is established and communicatedGovern
GV.SC-01A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholdersGovern
GV.SC-02Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externallyGovern
GV.SC-03Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processesGovern
GV.SC-08Relevant suppliers and other third parties are included in incident planning, response, and recovery activitiesGovern
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycleGovern
GV.SC-10Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreementGovern
ID.AM-04Inventories of services provided by suppliers are maintainedIdentify
ID.IM-04Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improvedIdentify